valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

False Positive Reduction

Browse Source
This commit is contained in:
Florian Roth 2017-12-17 23:55:33 +01:00
parent ef4e347960
commit 05a203dc7b
2 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
yara/apt_moonlightmaze.yar
View File

@ -41,9 +41,8 @@ strings:
$a11="ork error" ascii fullword $a11="ork error" ascii fullword
condition: condition:
// Change from "any of them" to 3 of them due to false positives with Nvidia drivers
((any of ($a*))) 3 of ($a*)
} }

1
yara/gen_invoke_mimikatz.yar
View File

@ -15,7 +15,6 @@ rule Invoke_Mimikatz {
date = "2016-08-03" date = "2016-08-03"
hash1 = "f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67" hash1 = "f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67"
strings: strings:
$x1 = "Invoke-Mimikatz" wide fullword
$x2 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm" ascii $x2 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm" ascii
$x3 = "Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp" fullword ascii $x3 = "Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp" fullword ascii
condition: condition: