correction

Author: mthcht

Phishing_category_detection.csv

@@ -102,7 +102,7 @@
 "*[email protected]*",".{0,1000}leonardred1989\@protonmail\.com.{0,1000}","offensive_tool_keyword","ransomware_notes","detection patterns retrieved in ransomware notes archives","T1486","TA0040","N/A","N/A","Ransomware","https://github.com/threatlabz/ransomware_notes","1","0","#email","N/A","10","4","342","52","2025-02-18T18:47:47Z","2022-08-01T15:14:59Z"
 "*[email protected]*",".{0,1000}LINDA\.HARTLEY\@TUTANOTA\.COM.{0,1000}","offensive_tool_keyword","ransomware_notes","detection patterns retrieved in ransomware notes archives","T1486","TA0040","N/A","N/A","Ransomware","https://github.com/threatlabz/ransomware_notes","1","0","#email","N/A","10","4","342","52","2025-02-18T18:47:47Z","2022-08-01T15:14:59Z"
 "*[email protected]*",".{0,1000}linux\@mega\.co\.nz.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#email","N/A","10","10","2009","410","2025-02-05T09:57:14Z","2017-08-28T16:58:54Z"
-"*location:\\*.trycloudfare.com*",".{0,1000}location\:\\\\.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudfare","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","0","#email","N/A","10","10","N/A","N/A","N/A","N/A"
+"*location:\\*.trycloudfare.com*",".{0,1000}location\:\\\\.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudflare.com","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","0","#email","N/A","10","10","N/A","N/A","N/A","N/A"
 "*[email protected]*",".{0,1000}mallox\.resurrection\@onionmail\.org.{0,1000}","offensive_tool_keyword","ransomware_notes","detection patterns retrieved in ransomware notes archives","T1486","TA0040","N/A","N/A","Ransomware","https://github.com/threatlabz/ransomware_notes","1","0","#email","N/A","10","4","342","52","2025-02-18T18:47:47Z","2022-08-01T15:14:59Z"
 "*[email protected]*",".{0,1000}managersmaers\@tutanota\.com.{0,1000}","offensive_tool_keyword","ransomware_notes","detection patterns retrieved in ransomware notes archives","T1486","TA0040","N/A","N/A","Ransomware","https://github.com/threatlabz/ransomware_notes","1","0","#email","N/A","10","4","342","52","2025-02-18T18:47:47Z","2022-08-01T15:14:59Z"
 "*[email protected]*",".{0,1000}MARY\.SWANN\@PROTONMAIL\.COM.{0,1000}","offensive_tool_keyword","ransomware_notes","detection patterns retrieved in ransomware notes archives","T1486","TA0040","N/A","N/A","Ransomware","https://github.com/threatlabz/ransomware_notes","1","0","#email","N/A","10","4","342","52","2025-02-18T18:47:47Z","2022-08-01T15:14:59Z"

email_tag_detection.csv

@@ -37,7 +37,7 @@
 "*.share.zrok.io*",".{0,1000}\.share\.zrok\.io.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3003","119","2025-02-28T15:48:39Z","2022-07-18T19:14:51Z"
 "*.srv.browser.lol*",".{0,1000}\.srv\.browser\.lol.{0,1000}","greyware_tool_keyword","browser.lol","Virtual Browser - Safely visit blocked or risky websites - can be used to bypass network restrictions within a corporate environment","T1071 - T1090 - T1562","TA0005","N/A","N/A","Defense Evasion","https://browser.lol","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A"
 "*.static.mega.co.nz*",".{0,1000}\.static\.mega\.co\.nz.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","#filehostingservice #P2P","N/A","10","10","N/A","N/A","N/A","N/A"
-"*.trycloudfare.com*DavWWWRoot*",".{0,1000}\.trycloudfare\.com.{0,1000}DavWWWRoot.{0,1000}","greyware_tool_keyword","trycloudfare","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*.trycloudfare.com*DavWWWRoot*",".{0,1000}\.trycloudfare\.com.{0,1000}DavWWWRoot.{0,1000}","greyware_tool_keyword","trycloudflare.com","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*.tunnel.pyjam.as*",".{0,1000}\.tunnel\.pyjam\.as.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*.tunnelto.dev*",".{0,1000}\.tunnelto\.dev.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2152","116","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z"
 "*.userstorage.mega.co.nz/ul/*",".{0,1000}\.userstorage\.mega\.co\.nz\/ul\/.{0,1000}","greyware_tool_keyword","mega.co.nz","uploading data to mega cloud","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR - Dispossessor","Data Exfiltration","https://mega.io/","1","1","#filehostingservice #P2P","N/A","10","10","N/A","N/A","N/A","N/A"
@@ -951,7 +951,7 @@
 "*http://*.remote.moe/*",".{0,1000}http\:\/\/.{0,1000}\.remote\.moe\/.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","1","N/A","N/A","10","10","284","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z"
 "*http://*.serveo.net*",".{0,1000}http\:\/\/.{0,1000}\.serveo\.net.{0,1000}","greyware_tool_keyword","serveo.net","Expose local servers to the internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://serveo.net","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*http://*.ssi.sh*",".{0,1000}http\:\/\/.{0,1000}\.ssi\.sh.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","1","N/A","N/A","10","10","4134","317","2025-02-23T16:05:12Z","2019-02-15T15:36:23Z"
-"*http://*.trycloudfare.com*",".{0,1000}http\:\/\/.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudfare","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*http://*.trycloudfare.com*",".{0,1000}http\:\/\/.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudflare.com","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*http://*.tunnelmole.net*",".{0,1000}http\:\/\/.{0,1000}\.tunnelmole\.net.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1344","83","2025-02-11T09:18:26Z","2023-02-08T08:27:57Z"
 "*http://*.zrok.io*",".{0,1000}http\:\/\/.{0,1000}\.zrok\.io.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3003","119","2025-02-28T15:48:39Z","2022-07-18T19:14:51Z"
 "*http://*:9000/restic*",".{0,1000}http\:\/\/.{0,1000}\:9000\/restic.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","1","N/A","N/A","8","10","27784","1585","2025-03-01T01:53:27Z","2014-04-27T14:07:58Z"
@@ -1024,7 +1024,7 @@
 "*https://*.ssi.sh*",".{0,1000}https\:\/\/.{0,1000}\.ssi\.sh.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","1","N/A","N/A","10","10","4134","317","2025-02-23T16:05:12Z","2019-02-15T15:36:23Z"
 "*https://*.tacticalrmm.com/*",".{0,1000}https\:\/\/.{0,1000}\.tacticalrmm\.com\/.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3435","472","2025-02-27T00:52:54Z","2019-10-22T22:19:12Z"
 "*https://*.telebit.io*",".{0,1000}https\:\/\/.{0,1000}\.telebit\.io.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
-"*https://*.trycloudfare.com*",".{0,1000}https\:\/\/.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudfare","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*https://*.trycloudfare.com*",".{0,1000}https\:\/\/.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudflare.com","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*https://*.trycloudflare.com*",".{0,1000}https\:\/\/.{0,1000}\.trycloudflare\.com.{0,1000}","greyware_tool_keyword","trycloudflare.com","Attackers abuse this service to expose malicious servers on a *.trycloudflare.com subdomain","T1567.002 - T1102 - T1071.001 - T1036","TA0001 - TA0005 - TA0009","N/A","N/A","Collection","https://lots-project.com/site/2a2e747279636c6f7564666c6172652e636f6d","0","1","N/A","N/A","8","8","N/A","N/A","N/A","N/A"
 "*https://*.tunnelmole.net*",".{0,1000}https\:\/\/.{0,1000}\.tunnelmole\.net.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1344","83","2025-02-11T09:18:26Z","2023-02-08T08:27:57Z"
 "*https://*.use.devtunnels.ms*",".{0,1000}https\:\/\/.{0,1000}\.use\.devtunnels\.ms.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","0","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
@@ -1469,7 +1469,7 @@
 "*pyinstaller-script.py*",".{0,1000}pyinstaller\-script\.py.{0,1000}","greyware_tool_keyword","pyinstaller","PyInstaller bundles a Python application and all its dependencies into a single package executable.","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","N/A","N/A","Resource Development","https://www.pyinstaller.org/","1","1","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A"
 "*pyjam.as/tunnel*",".{0,1000}pyjam\.as\/tunnel.{0,1000}","greyware_tool_keyword","tunnel.pyjam.as","SSL-terminated ephemeral HTTP tunnels to your local machine - no custom software required (thanks to wireguard)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A"
 "*q3k/crowbar*",".{0,1000}q3k\/crowbar.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z"
-"*QNAME*.trycloudfare.com*",".{0,1000}QNAME.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudfare","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","#dnsquery","N/A","10","10","N/A","N/A","N/A","N/A"
+"*QNAME*.trycloudfare.com*",".{0,1000}QNAME.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudflare.com","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","#dnsquery","N/A","10","10","N/A","N/A","N/A","N/A"
 "*Quasar.Client.*",".{0,1000}Quasar\.Client\..{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9032","2528","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z"
 "*Quasar.exe*",".{0,1000}Quasar\.exe.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9032","2528","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z"
 "*Quasar.sln*",".{0,1000}Quasar\.sln.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9032","2528","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z"