Cylaris AWESOMEKQL is an awesome repository of detection R&D created exclusively by the Cylaris Threat Research Group (TRG)
This repo is for:
- SOC Analysts (Threat Hunting)
- SOC Engineers (Detection Packs)
- Researchers
- Linux Nerds
-
Network Level Indicators These are a first-effort response which use the earliest possible IOCs uncovered by bad actors exploiting vulnerabilities. Usually unreliable but good for a first response.
-
Static Indicators Static Indicators are attributes that artifacts have that have been seen historically, again, these are unreliable but can prevent many attacks nonetheless.
-
Behavioural Patterns (Heuristic) After analysis is carried out on various research, as well as tests, most malware families and even APT's share many similar traits. This is where we are able to identify these patterns. Most of our detection packs use this - however these take a LOT of time, for research and testing. So you may see us release the previous types initially as a first-effort mitigation and detection.
OAuth App Abuse
App Installer abuse
BITSAdmin Abuse
Certutil Abuse
CScript Abuse
Findstr Abuse
HAFNIUM
- Tracking of the malware Hafnium Likely aligned with APT40. Known to target US
QakBot
- Tracking of the QBot/Qakbot malware This is a modular information stealer
Ransomware
Scraping
- Twitter IOC ingestion inline Pulls from 0xDanielLopez Tweetfeed. Ingests inline. Also includes a mapped version.
Phishing
- Clicked Link tracker (map email URL to Endpoint Logs) -Browser Spawned on URL Click