Add high-level detection guidance for key hits

key hits.txt

@@ -0,0 +1,38 @@
+Key Hits — High-Level Detection Guidance
+(No raw logs included)
+
+Network indicators:
+- Repeated DNS/SNI/HTTP(S) contacts to github.stormbreaker.pro and stormbreaker.pro.
+- Secondary C2/relay domains observed: kaylees.site, pir.kaylees.site, plus multiple typosquat and free-TLD domains.
+
+Process / execution patterns:
+- References to 'sshd' (SSH daemon).
+- Frequent invocations of '/bin/bash' — look for unexpected SSH services, pseudo-shells, or elevated shell activity.
+- Indicators of command execution and file-transfer behavior (keywords: download, upload, payload identifiers).
+
+Proxy / tunneling markers:
+- Unique string "tunnel_shine" observed in routing/proxy configuration contexts.
+- Unique SYSTEM_PROXY UUID: A124B30D-1DA8-4A28-9086-C7F485678DCB
+  (High-value pivot for provider/host log searches.)
+
+Beacon / heartbeat patterns:
+- Recurrent periodic heartbeat-like entries.
+  - Example marker: Awareness.heartbeat:E9362
+- Look for regular timing patterns or periodic callbacks in telemetry.
+
+Detection Recommendations:
+- Monitor DNS logs and TLS SNI for the listed domains and variants.
+- Alert on:
+  - New or unexpected SSH service instances
+  - Sudden increases in /bin/bash invocation rates
+- Hunt for:
+  - The proxy UUID
+  - The "tunnel_shine" string in system or configuration logs
+- Correlate:
+  - Suspicious DNS/TLS hits
+  - With endpoint process activity + unusual outbound traffic
+  - Prioritize timestamps aligning with observed beacon cadence.
+
+Notes:
+- Validate indicators against local telemetry — some domains may be reused or repurposed.
+- If you find matches that appear benign, notify the repository contact for review.