MalChain Detections GitHub

About MalChain

MalChain is an open-source, behaviour-centric malware kill-chain framework maintained by Malwarehunts. It models real-world adversary operations across the full intrusion lifecycle by abstracting attacker actions into reusable operational capabilities that stay stable even as malware tooling evolves.

Behaviour-centric

Models attacker capabilities and trust abuse, not fragile tool or hash indicators.

Full lifecycle

Six phases and 52 techniques spanning initial access through exfiltration and C2.

Detection-ready

Every technique ships runnable KQL, and 30 ship validated YARA rules.

Who maintains it

MalChain is a project by Malwarehunts — a threat-research effort focused on malware analysis, detection engineering, and threat hunting. Our goal is to help defenders reason about attacker behaviour in a structured, high-fidelity way and turn that understanding into detections they can deploy the same day.

Who it’s for

Security operations centres, detection-engineering and threat-hunting teams, incident responders, malware researchers, and red / purple teams. MalChain is platform-agnostic and applies across endpoint, network, cloud, and hybrid environments.

What’s inside

Six phases — Ingress, Activation, Anchoring, Concealment, Expansion, and Extraction — covering 52 techniques. Each technique carries a summary, detection guidance, a ready-to-run Microsoft Defender / Sentinel KQL query, a YARA rule where file or memory artifacts apply, mitigation and incident-response notes, and chain-linking to the techniques it enables next.

Contributing

Contributions are welcome — malware case studies, new or tuned detection signatures (KQL and YARA), and technical analysis. Open an issue or pull request on GitHub.

Stay in touch

Read more research and analysis at malwarehunts.com, or follow development on GitHub.