WithSecureLabs · FranticTyping · Apr 1, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 12, 2026
@@ -0,0 +1,43 @@
+---
+title: AnyViewer
+group: MFT
+description: AnyViewer (remote management tool) artifacts
+authors:
+  - Krzysztof Kuzin
+
+kind: mft
+level: medium
+status: stable
+timestamp: StandardInfoCreated
+
+fields:
+  - name: FileNamePath
+    to: FullPath
+  - name: StandardInfoLastModified0x10
+    to: StandardInfoLastModified
+  - name: StandardInfoLastAccess0x10
+    to: StandardInfoLastAccess
+  - name: FileNameCreated0x30
+    to: FileNameCreated
+  - name: FileNameLastModified0x30
+    to: FileNameLastModified
+  - name: FileNameLastAccess0x30
+    to: FileNameLastAccess
+  - name: FileSize
+    to: FileSize
+  - name: IsADirectory
+    to: IsADirectory
+  - name: IsDeleted
+    to: IsDeleted
+  - name: HasAlternateDataStreams
+    to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
+
+filter:
+  condition: anyviewer
+
+  anyviewer:
+    FullPath:
+      - 'i*AnyViewer.exe*'
+      - 'i*RCService.exe*'
@@ -0,0 +1,47 @@
+---
+title: Atera Agent
+group: MFT
+description: Atera Agent (remote management tool) artifacts
+authors:
+  - Krzysztof Kuzin
+
+
+kind: mft
+level: medium
+status: stable
+timestamp: StandardInfoCreated
+
+
+fields:
+  - name: FileNamePath
+    to: FullPath
+  - name: StandardInfoLastModified0x10
+    to: StandardInfoLastModified
+  - name: StandardInfoLastAccess0x10
+    to: StandardInfoLastAccess
+  - name: FileNameCreated0x30
+    to: FileNameCreated
+  - name: FileNameLastModified0x30
+    to: FileNameLastModified
+  - name: FileNameLastAccess0x30
+    to: FileNameLastAccess
+  - name: FileSize
+    to: FileSize
+  - name: IsADirectory
+    to: IsADirectory
+  - name: IsDeleted
+    to: IsDeleted
+  - name: HasAlternateDataStreams
+    to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
+
+filter:
+  condition: ateraagent
+
+  ateraagent:
+    FullPath:
+      - 'i*atera_agent.exe*'
+      - 'i*ateraagent.exe*'
+      - 'i*AgentPackageNetworkDiscovery.exe*'
+      - 'i*AgentPackageTaskScheduler.exe*'
@@ -0,0 +1,44 @@
+---
+title: KslKatz
+group: MFT
+description: KslKatz Credential Dumping Framework
+authors:
+  - Krzysztof Kuzin
+
+
+kind: mft
+level: high
+status: stable
+timestamp: StandardInfoCreated
+
+
+fields:
+  - name: FileNamePath
+    to: FullPath
+  - name: StandardInfoLastModified0x10
+    to: StandardInfoLastModified
+  - name: StandardInfoLastAccess0x10
+    to: StandardInfoLastAccess
+  - name: FileNameCreated0x30
+    to: FileNameCreated
+  - name: FileNameLastModified0x30
+    to: FileNameLastModified
+  - name: FileNameLastAccess0x30
+    to: FileNameLastAccess
+  - name: FileSize
+    to: FileSize
+  - name: IsADirectory
+    to: IsADirectory
+  - name: IsDeleted
+    to: IsDeleted
+  - name: HasAlternateDataStreams
+    to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
+
+filter:
+  condition: kslkatz
+
+  kslkatz:
+    FullPath:
+      - 'i*KslKatz.exe*'
@@ -0,0 +1,50 @@
+---
+title: MeshAgent
+group: MFT
+description: MeshAgent (remote management tool) artifacts
+authors:
+  - Krzysztof Kuzin
+
+
+kind: mft
+level: medium
+status: stable
+timestamp: StandardInfoCreated
+
+
+fields:
+  - name: FileNamePath
+    to: FullPath
+  - name: StandardInfoLastModified0x10
+    to: StandardInfoLastModified
+  - name: StandardInfoLastAccess0x10
+    to: StandardInfoLastAccess
+  - name: FileNameCreated0x30
+    to: FileNameCreated
+  - name: FileNameLastModified0x30
+    to: FileNameLastModified
+  - name: FileNameLastAccess0x30
+    to: FileNameLastAccess
+  - name: FileSize
+    to: FileSize
+  - name: IsADirectory
+    to: IsADirectory
+  - name: IsDeleted
+    to: IsDeleted
+  - name: HasAlternateDataStreams
+    to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
+
+filter:
+  condition: meshagent
+
+  meshagent:
+    FullPath:
+      - 'i*meshagent.exe*'
+      - 'i*meshagent64.exe*'
+      - 'i*meshagent.proxy*'
+      - 'i*meshagent64.proxy*'
+      - 'i*meshagent.log*'
+      - 'i*meshagent.msh*'
+      - 'i*meshagent.db*'
@@ -0,0 +1,64 @@
+---
+title: Netexec
+group: MFT
+description: Netexec - network service exploitation tool
+authors:
+  - Krzysztof Kuzin
+
+kind: mft
+level: high
+status: stable
+timestamp: StandardInfoCreated
+
+fields:
+  - name: FileNamePath
+    to: FullPath
+  - name: StandardInfoLastModified0x10
+    to: StandardInfoLastModified
+  - name: StandardInfoLastAccess0x10
+    to: StandardInfoLastAccess
+  - name: FileNameCreated0x30
+    to: FileNameCreated
+  - name: FileNameLastModified0x30
+    to: FileNameLastModified
+  - name: FileNameLastAccess0x30
+    to: FileNameLastAccess
+  - name: FileSize
+    to: FileSize
+  - name: IsADirectory
+    to: IsADirectory
+  - name: IsDeleted
+    to: IsDeleted
+  - name: HasAlternateDataStreams
+    to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
+
+filter:
+  condition: netexec or netexec1 or netexec2 or netexec3
+
+  netexec:
+    FullPath:
+      - 'i*nxc.exe*'
+
+   netexec1:
+    FullPath:
+      - 'i*.nxc\workspaces*'
+      - 'i*.nxc\workspaces\default*'
+
+    netexec2:
+    FullPath:
+      - 'inxc.conf*'
+
+    netexec3:
+    FullPath:
+      - 'iftp.db*'
+      - 'ildap.db*'
+      - 'imssql.db*'
+      - 'infs.db*'
+      - 'irdp.db*'
+      - 'ismb.db*'
+      - 'issh.db*'
+      - 'ivnc.db*'
+      - 'iwinrm.db*'
+      - 'iwmi.db*'
@@ -1,54 +1,55 @@
----
-title: PSExec
-group: MFT
-description: PsExec artifacts
-authors:
-  - Reece394
-
-
-kind: mft
-level: medium
-status: stable
-timestamp: StandardInfoCreated
-
-
-fields:
-  - name: FileNamePath
-    to: FullPath
-  - name: StandardInfoLastModified0x10
-    to: StandardInfoLastModified
-  - name: StandardInfoLastAccess0x10
-    to: StandardInfoLastAccess
-  - name: FileNameCreated0x30
-    to: FileNameCreated
-  - name: FileNameLastModified0x30
-    to: FileNameLastModified
-  - name: FileNameLastAccess0x30
-    to: FileNameLastAccess
-  - name: FileSize
-    to: FileSize
-  - name: IsADirectory
-    to: IsADirectory
-  - name: IsDeleted
-    to: IsDeleted
-  - name: HasAlternateDataStreams
-    to: HasAlternateDataStreams
-  - name: DataStreams
-    to: DataStreams
-
-filter:
-  condition: psexec or (key_1 and key_2)
-
-  psexec:
-    FullPath:
-      - 'i*PSEXESVC.exe*'
-      - 'i*PSExec.exe*'
-      - 'i*PSExec64.exe*'
-
-  key_1:
-    FullPath:
-      - 'i*.key*'
-
-  key_2:
-    FullPath:
-      - 'i*PSEXEC-*'
+---
+title: PSExec
+group: MFT
+description: PsExec artifacts
+authors:
+  - Reece394, Krzysztof Kuzin
+
+
+kind: mft
+level: medium
+status: stable
+timestamp: StandardInfoCreated
+
+
+fields:
+  - name: FileNamePath
+    to: FullPath
+  - name: StandardInfoLastModified0x10
+    to: StandardInfoLastModified
+  - name: StandardInfoLastAccess0x10
+    to: StandardInfoLastAccess
+  - name: FileNameCreated0x30
+    to: FileNameCreated
+  - name: FileNameLastModified0x30
+    to: FileNameLastModified
+  - name: FileNameLastAccess0x30
+    to: FileNameLastAccess
+  - name: FileSize
+    to: FileSize
+  - name: IsADirectory
+    to: IsADirectory
+  - name: IsDeleted
+    to: IsDeleted
+  - name: HasAlternateDataStreams
+    to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
+
+filter:
+  condition: psexec or (key_1 and key_2)
+
+  psexec:
+    FullPath:
+      - 'i*PSEXESVC.exe*'
+      - 'i*PSExec.exe*'
+      - 'i*PSExec64.exe*'
+      - 'i*PS64.exe*'
+
+  key_1:
+    FullPath:
+      - 'i*.key*'
+
+  key_2:
+    FullPath:
+      - 'i*PSEXEC-*'