• Stars
    star
    308
  • Rank 135,712 (Top 3 %)
  • Language
  • License
    GNU Affero Genera...
  • Created about 3 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

MAL-CL (Malicious Command-Line)

Malicious Command-Line (MAL-CL)

MAL-CL (Malicious Command-Line) aims to collect and document real world and most common "malicious" command-line executions of different tools and utilities while providing actionable detections and resources for the blue team.

Author(s)

Motivation

The idea for this project stemmed from our analyses of threat intel reports where we were able to identify that, most of the time, threat actor activities were leveraging LOLBINs and "free" tools to perform their actions.

In our analyses it became evident that the same command-line arguments and tools were being used in the majority of adversary activity. With this in mind we decided to document these common use cases and provide actionable context for the blue team.

Goal

There are two major goals for MAL-CL.

The first is to bring awareness to the abuse of different tools and utilities - used all over the world - by threat actors and malware. The second is to provide a single, central point, that blue teams can use to understand these tools and write better detections.

Coverage Mind Map

The following MindMap display the tools and utilities currently covered by MAL-CL.

coverage-mindmap

Contributing

If you find a process or a tool that has some command-line options that can or have been (ab)used, please consider contributing them.

  • Create a folder with a name of the tool inside one of the available platforms (Other, NirSoft Utilities, Antivirus, Windows, Windows 2000 Resource Kit Tools, Sysinternals).
  • Inside that folder create a README.md (Descriptor) file.

You can use the template available here or simply copy one the already existsting README files and use it as a base. Please follow the same structure and don't remove any titles (all are required).

Looking forward to your awesome contributions.

Feedback

Found this interesting? Have a question/comment/request? Let us know!

Feel free to open an issue or ping us on Twitter.

Twitter