diff --git a/sig-base-rules.csv b/sig-base-rules.csv index 0511224..dab0568 100644 --- a/sig-base-rules.csv +++ b/sig-base-rules.csv @@ -1,59 +1,59 @@ -EXP_DriveCrypt_1;Detects DriveCrypt exploit;Internal Research;2018-08-21 00:00:00;70;Florian Roth;FILE,EXE -EXP_DriveCrypt_x64passldr;Detects DriveCrypt exploit;Internal Research;2018-08-21 00:00:00;70;Florian Roth;FILE,EXE +EXP_DriveCrypt_1;Detects DriveCrypt exploit;Internal Research;2018-08-21 00:00:00;70;Florian Roth;EXE,FILE +EXP_DriveCrypt_x64passldr;Detects DriveCrypt exploit;Internal Research;2018-08-21 00:00:00;70;Florian Roth;EXE,FILE MAL_Xbash_PY_Sep18;Detects Xbash malware;https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/;2018-09-18 00:00:00;70;Florian Roth;FILE MAL_Xbash_SH_Sep18;Detects Xbash malware;https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/;2018-09-18 00:00:00;70;Florian Roth;FILE MAL_Xbash_JS_Sep18;Detects XBash malware;https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/;2018-09-18 00:00:00;70;Florian Roth;FILE -hkdoor_backdoor_dll;Hacker's Door Backdoor DLL;https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html;1970-01-01 01:00:00;70;Cylance Inc.;MAL,FILE,EXE -hkdoor_backdoor;Hacker's Door Backdoor;https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html;1970-01-01 01:00:00;70;Cylance Inc.;MAL,FILE,EXE -hkdoor_dropper;Hacker's Door Dropper;https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html;1970-01-01 01:00:00;70;Cylance Inc.;EXTVAR,MAL,FILE,EXE -hkdoor_driver;Hacker's Door Driver;-;1970-01-01 01:00:00;70;-;FILE,EXE -CVE_2017_8759_Mal_HTA;Detects malicious files related to CVE-2017-8759 - file cmd.hta;https://github.com/Voulnet/CVE-2017-8759-Exploit-sample;2017-09-14 00:00:00;70;Florian Roth;FILE,EXPLOIT -CVE_2017_8759_Mal_Doc;Detects malicious files related to CVE-2017-8759 - file Doc1.doc;https://github.com/Voulnet/CVE-2017-8759-Exploit-sample;2017-09-14 00:00:00;70;Florian Roth;FILE,EXPLOIT +hkdoor_backdoor_dll;Hacker's Door Backdoor DLL;https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html;1970-01-01 01:00:00;70;Cylance Inc.;MAL,EXE,FILE +hkdoor_backdoor;Hacker's Door Backdoor;https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html;1970-01-01 01:00:00;70;Cylance Inc.;MAL,EXE,FILE +hkdoor_dropper;Hacker's Door Dropper;https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html;1970-01-01 01:00:00;70;Cylance Inc.;EXTVAR,EXE,MAL,FILE +hkdoor_driver;Hacker's Door Driver;-;1970-01-01 01:00:00;70;-;EXE,FILE +CVE_2017_8759_Mal_HTA;Detects malicious files related to CVE-2017-8759 - file cmd.hta;https://github.com/Voulnet/CVE-2017-8759-Exploit-sample;2017-09-14 00:00:00;70;Florian Roth;EXPLOIT,FILE +CVE_2017_8759_Mal_Doc;Detects malicious files related to CVE-2017-8759 - file Doc1.doc;https://github.com/Voulnet/CVE-2017-8759-Exploit-sample;2017-09-14 00:00:00;70;Florian Roth;EXPLOIT,FILE CVE_2017_8759_SOAP_via_JS;Detects SOAP WDSL Download via JavaScript;https://twitter.com/buffaloverflow/status/907728364278087680;2017-09-14 00:00:00;60;Florian Roth; CVE_2017_8759_SOAP_Excel;Detects malicious files related to CVE-2017-8759;https://twitter.com/buffaloverflow/status/908455053345869825;2017-09-15 00:00:00;60;Florian Roth;EXPLOIT CVE_2017_8759_SOAP_txt;Detects malicious file in releation with CVE-2017-8759 - file exploit.txt;https://github.com/Voulnet/CVE-2017-8759-Exploit-sample;2017-09-14 00:00:00;70;Florian Roth;EXPLOIT -CVE_2017_8759_WSDL_in_RTF;Detects malicious RTF file related CVE-2017-8759;https://twitter.com/xdxdxdxdoa/status/908665278199996416;2017-09-15 00:00:00;70;Security Doggo @xdxdxdxdoa;EXTVAR,EXPLOIT -Kraken_Bot_Sample;Kraken Bot Sample - file inf.bin;https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html;2015-05-07 00:00:00;90;Florian Roth;FILE,EXE +CVE_2017_8759_WSDL_in_RTF;Detects malicious RTF file related CVE-2017-8759;https://twitter.com/xdxdxdxdoa/status/908665278199996416;2017-09-15 00:00:00;70;Security Doggo @xdxdxdxdoa;EXPLOIT,EXTVAR +Kraken_Bot_Sample;Kraken Bot Sample - file inf.bin;https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html;2015-05-07 00:00:00;90;Florian Roth;EXE,FILE Neuron_common_strings;Rule for detection of Neuron based on commonly used strings;https://www.ncsc.gov.uk/alerts/turla-group-malware;2017-11-23 00:00:00;70;NCSC UK;FILE Neuron_standalone_signature;Rule for detection of Neuron based on a standalone signature from .NET metadata;https://www.ncsc.gov.uk/alerts/turla-group-malware;2017-11-23 00:00:00;70;NCSC UK;FILE Nautilus_modified_rc4_loop;Rule for detection of Nautilus based on assembly code for a modified RC4 loop;https://www.ncsc.gov.uk/alerts/turla-group-malware;2017-11-23 00:00:00;70;NCSC UK;FILE Nautilus_rc4_key;Rule for detection of Nautilus based on a hardcoded RC4 key;https://www.ncsc.gov.uk/alerts/turla-group-malware;2017-11-23 00:00:00;70;NCSC UK;FILE Nautilus_common_strings;Rule for detection of Nautilus based on common plaintext strings;https://www.ncsc.gov.uk/alerts/turla-group-malware;2017-11-23 00:00:00;70;NCSC UK;FILE Nautilus_forensic_artificats;Rule for detection of Nautilus related strings;https://www.ncsc.gov.uk/alerts/turla-group-malware;2017-11-23 00:00:00;60;NCSC UK / Florian Roth; -PowerShell_Case_Anomaly;Detects obfuscated PowerShell hacktools;https://twitter.com/danielhbohannon/status/905096106924761088;2017-08-11 00:00:00;70;Florian Roth;SCRIPT,OBFUS +PowerShell_Case_Anomaly;Detects obfuscated PowerShell hacktools;https://twitter.com/danielhbohannon/status/905096106924761088;2017-08-11 00:00:00;70;Florian Roth;OBFUS,SCRIPT WScriptShell_Case_Anomaly;Detects obfuscated wscript.shell commands;Internal Research;2017-09-11 00:00:00;60;Florian Roth;OBFUS -Backdoor_Redosdru_Jun17;Detects malware Redosdru - file systemHome.exe;https://goo.gl/OOB3mH;2017-06-04 00:00:00;70;Florian Roth;FILE,EXE -Backdoor_Nitol_Jun17;Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader;https://goo.gl/OOB3mH;2017-06-04 00:00:00;70;Florian Roth;MAL,FILE,EXE +Backdoor_Redosdru_Jun17;Detects malware Redosdru - file systemHome.exe;https://goo.gl/OOB3mH;2017-06-04 00:00:00;70;Florian Roth;EXE,FILE +Backdoor_Nitol_Jun17;Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader;https://goo.gl/OOB3mH;2017-06-04 00:00:00;70;Florian Roth;MAL,EXE,FILE PoS_Malware_MalumPOS;Used to detect MalumPOS memory dumper;-;2015-05-25 00:00:00;70;Trend Micro, Inc.;MAL -Waterbear_1_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE -Waterbear_2_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE -Waterbear_4_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE +Waterbear_1_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE +Waterbear_2_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE +Waterbear_4_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE Waterbear_5_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE -Waterbear_6_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE -Waterbear_7_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE -Waterbear_8_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE -Waterbear_9_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE -Waterbear_10_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE -Waterbear_11_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE -Waterbear_12_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE -Waterbear_13_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE -Waterbear_14_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;FILE,EXE -PoisonIvy_Generic_3;PoisonIvy RAT Generic Rule;-;2015-05-14 00:00:00;70;Florian Roth;GEN,MAL,FILE,EXE -OilRig_Malware_Campaign_Gen1;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE -OilRig_Malware_Campaign_Mal1;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE -OilRig_Malware_Campaign_Gen2;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE -OilRig_Malware_Campaign_Gen3;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE -OilRig_Malware_Campaign_Mal2;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE +Waterbear_6_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE +Waterbear_7_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE +Waterbear_8_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE +Waterbear_9_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE +Waterbear_10_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE +Waterbear_11_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE +Waterbear_12_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE +Waterbear_13_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE +Waterbear_14_Jun17;Detects malware from Operation Waterbear;https://goo.gl/L9g9eR;2017-06-23 00:00:00;70;Florian Roth;EXE,FILE +PoisonIvy_Generic_3;PoisonIvy RAT Generic Rule;-;2015-05-14 00:00:00;70;Florian Roth;MAL,EXE,GEN,FILE +OilRig_Malware_Campaign_Gen1;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MAL,MIDDLE_EAST,FILE +OilRig_Malware_Campaign_Mal1;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MAL,MIDDLE_EAST,FILE +OilRig_Malware_Campaign_Gen2;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MAL,MIDDLE_EAST,FILE +OilRig_Malware_Campaign_Gen3;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MAL,MIDDLE_EAST,FILE +OilRig_Malware_Campaign_Mal2;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MAL,MIDDLE_EAST,FILE OilRig_Campaign_Reconnaissance;Detects Windows discovery commands - known from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MIDDLE_EAST -OilRig_Malware_Campaign_Mal3;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL -OilRig_Malware_Nov17_13;;https://twitter.com/ClearskySec/status/933280188733018113;2017-11-22 00:00:00;70;Florian Roth;MAL,FILE,EXE +OilRig_Malware_Campaign_Mal3;Detects malware from OilRig Campaign;https://goo.gl/QMRZ8K;2016-10-12 00:00:00;70;Florian Roth;MAL,MIDDLE_EAST +OilRig_Malware_Nov17_13;;https://twitter.com/ClearskySec/status/933280188733018113;2017-11-22 00:00:00;70;Florian Roth;MAL,EXE,FILE Oilrig_IntelSecurityManager_macro;Detects OilRig malware;Internal Research;2018-01-19 00:00:00;70;Eyal Sela (slightly modified by Florian Roth);MIDDLE_EAST Oilrig_IntelSecurityManager;Detects OilRig malware;Internal Research;2018-01-19 00:00:00;70;Eyal Sela;MIDDLE_EAST -KeyBoys_malware_1;Detects Keyboys malware;http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html;2017-11-02 00:00:00;70;Florian Roth;FILE,EXE -KeyBoy_InstallClient;Detects KeyBoy InstallClient;https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/;2018-03-26 00:00:00;70;Markus Neis, Florian Roth;FILE,EXE -KeyBoy_wab32res;Detects KeyBoy Loader wab32res.dll;https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/;2018-03-26 00:00:00;70;Markus Neis, Florian Roth;FILE,EXE -KeyBoy_rasauto;Detects KeyBoy ServiceClient;https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/;2018-03-26 00:00:00;70;Markus Neis, Florian Roth;FILE,EXE -KeyBoy_876_0x4e20000;Detects KeyBoy Backdoor;https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/;2018-03-26 00:00:00;70;Markus Neis, Florian Roth;MAL,FILE,EXE +KeyBoys_malware_1;Detects Keyboys malware;http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html;2017-11-02 00:00:00;70;Florian Roth;EXE,FILE +KeyBoy_InstallClient;Detects KeyBoy InstallClient;https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/;2018-03-26 00:00:00;70;Markus Neis, Florian Roth;EXE,FILE +KeyBoy_wab32res;Detects KeyBoy Loader wab32res.dll;https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/;2018-03-26 00:00:00;70;Markus Neis, Florian Roth;EXE,FILE +KeyBoy_rasauto;Detects KeyBoy ServiceClient;https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/;2018-03-26 00:00:00;70;Markus Neis, Florian Roth;EXE,FILE +KeyBoy_876_0x4e20000;Detects KeyBoy Backdoor;https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/;2018-03-26 00:00:00;70;Markus Neis, Florian Roth;MAL,EXE,FILE RAT_AAR;Detects AAR RAT;http://malwareconfig.com/stats/AAR;2014-04-05 00:00:00;70;Kevin Breen ;MAL RAT_Adzok;Detects Adzok RAT;http://malwareconfig.com/stats/Adzok;2015-05-05 00:00:00;70;Kevin Breen ;MAL RAT_Ap0calypse;Detects Ap0calypse RAT;http://malwareconfig.com/stats/Ap0calypse;2014-04-05 00:00:00;70;Kevin Breen ;MAL @@ -82,9 +82,9 @@ RAT_Plasma;Detects Plasma RAT;http://malwareconfig.com/stats/Plasma;2014-04-05 0 RAT_PoisonIvy;Detects PoisonIvy RAT;http://malwareconfig.com/stats/PoisonIvy;2014-04-05 00:00:00;70;Kevin Breen ;MAL RAT_PredatorPain;Detects PredatorPain RAT;http://malwareconfig.com/stats/PredatorPain;2014-04-05 00:00:00;70;Kevin Breen ;MAL RAT_Punisher;Detects Punisher RAT;http://malwareconfig.com/stats/Punisher;2014-04-05 00:00:00;70;Kevin Breen ;MAL -RAT_PythoRAT;Detects Python RAT;http://malwareconfig.com/stats/PythoRAT;2014-04-05 00:00:00;70;Kevin Breen ;SCRIPT,MAL +RAT_PythoRAT;Detects Python RAT;http://malwareconfig.com/stats/PythoRAT;2014-04-05 00:00:00;70;Kevin Breen ;MAL,SCRIPT RAT_QRat;Detects QRAT;http://malwareconfig.com;2015-08-05 00:00:00;70;Kevin Breen @KevTheHermit;MAL -RAT_Sakula;Detects Sakula v1.0 RAT;http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara;2015-10-13 00:00:00;70;Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings;MAL,FILE,EXE +RAT_Sakula;Detects Sakula v1.0 RAT;http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara;2015-10-13 00:00:00;70;Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings;MAL,EXE,FILE RAT_ShadowTech;Detects ShadowTech RAT;http://malwareconfig.com/stats/ShadowTech;2014-04-05 00:00:00;70;Kevin Breen ;MAL RAT_SmallNet;Detects SmallNet RAT;http://malwareconfig.com/stats/SmallNet;2014-04-05 00:00:00;70;Kevin Breen ;MAL RAT_SpyGate;Detects SpyGate RAT;http://malwareconfig.com/stats/SpyGate;2014-04-05 00:00:00;70;Kevin Breen ;MAL @@ -97,146 +97,146 @@ RAT_njRat;Detects njRAT;http://malwareconfig.com/stats/njRat;2014-04-05 00:00:00 RAT_unrecom;Detects unrecom RAT;http://malwareconfig.com/stats/unrecom;2014-04-05 00:00:00;70;Kevin Breen ;MAL RAT_xRAT;Detects xRAT;http://malwareconfig.com/stats/xRat;2014-04-05 00:00:00;70;Kevin Breen ;MAL MAL_JRAT_Oct18_1;Detects JRAT malware;Internal Research;2018-10-11 00:00:00;70;Florian Roth;MAL,FILE -APT_TA18_149A_Joanap_Sample1;Detects malware from TA18-149A report by US-CERT;https://www.us-cert.gov/ncas/alerts/TA18-149A;2018-05-30 00:00:00;70;Florian Roth;FILE,EXE -APT_TA18_149A_Joanap_Sample2;Detects malware from TA18-149A report by US-CERT;https://www.us-cert.gov/ncas/alerts/TA18-149A;2018-05-30 00:00:00;70;Florian Roth;FILE,EXE -APT_TA18_149A_Joanap_Sample3;Detects malware from TA18-149A report by US-CERT;https://www.us-cert.gov/ncas/alerts/TA18-149A;2018-05-30 00:00:00;70;Florian Roth;FILE,EXE +APT_TA18_149A_Joanap_Sample1;Detects malware from TA18-149A report by US-CERT;https://www.us-cert.gov/ncas/alerts/TA18-149A;2018-05-30 00:00:00;70;Florian Roth;EXE,FILE +APT_TA18_149A_Joanap_Sample2;Detects malware from TA18-149A report by US-CERT;https://www.us-cert.gov/ncas/alerts/TA18-149A;2018-05-30 00:00:00;70;Florian Roth;EXE,FILE +APT_TA18_149A_Joanap_Sample3;Detects malware from TA18-149A report by US-CERT;https://www.us-cert.gov/ncas/alerts/TA18-149A;2018-05-30 00:00:00;70;Florian Roth;EXE,FILE custom_ssh_backdoor_server;Custome SSH backdoor based on python and paramiko - file server.py;https://goo.gl/S46L3o;2015-05-14 00:00:00;70;Florian Roth;MAL Enfal_Malware;Detects a certain type of Enfal Malware;not set;2015-02-10 00:00:00;60;Florian Roth;MAL -Enfal_Malware_Backdoor;Generic Rule to detect the Enfal Malware;-;2015-02-10 00:00:00;60;Florian Roth;GEN,MAL +Enfal_Malware_Backdoor;Generic Rule to detect the Enfal Malware;-;2015-02-10 00:00:00;60;Florian Roth;MAL,GEN APT_RANCOR_JS_Malware;Rancor Malware;https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/;2018-06-26 00:00:00;70;Florian Roth;MAL,FILE -APT_RANCOR_PLAINTEE_Variant;Detects PLAINTEE malware;https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/;2018-06-26 00:00:00;70;Florian Roth;FILE,EXE -APT_RANCOR_PLAINTEE_Malware_Exports;Detects PLAINTEE malware;https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/;2018-06-26 00:00:00;70;Florian Roth;MAL,FILE,EXE -APT_RANCOR_DDKONG_Malware_Exports;Detects DDKONG malware;https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/;2018-06-26 00:00:00;70;Florian Roth;MAL,FILE,EXE -XMRIG_Monero_Miner;Detects Monero mining software;https://github.com/xmrig/xmrig/releases;2018-01-04 00:00:00;70;Florian Roth;FILE,EXE +APT_RANCOR_PLAINTEE_Variant;Detects PLAINTEE malware;https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/;2018-06-26 00:00:00;70;Florian Roth;EXE,FILE +APT_RANCOR_PLAINTEE_Malware_Exports;Detects PLAINTEE malware;https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/;2018-06-26 00:00:00;70;Florian Roth;MAL,EXE,FILE +APT_RANCOR_DDKONG_Malware_Exports;Detects DDKONG malware;https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/;2018-06-26 00:00:00;70;Florian Roth;MAL,EXE,FILE +XMRIG_Monero_Miner;Detects Monero mining software;https://github.com/xmrig/xmrig/releases;2018-01-04 00:00:00;70;Florian Roth;EXE,FILE XMRIG_Monero_Miner_Config;Auto-generated rule - from files config.json, config.json;https://github.com/xmrig/xmrig/releases;2018-01-04 00:00:00;70;Florian Roth;FILE -PUA_LNX_XMRIG_CryptoMiner;Detects XMRIG CryptoMiner software;Internal Research;2018-06-28 00:00:00;70;Florian Roth;FILE,LINUX -SUSP_XMRIG_String;Detects a suspicious XMRIG crypto miner executable string in filr;Internal Research;2018-12-28 00:00:00;70;Florian Roth;FILE,EXE -GoldDragon_malware_Feb18_1;Detects malware from Gold Dragon report;https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/;2018-02-03 00:00:00;90;Florian Roth;CHINA,FILE,EXE +PUA_LNX_XMRIG_CryptoMiner;Detects XMRIG CryptoMiner software;Internal Research;2018-06-28 00:00:00;70;Florian Roth;LINUX,FILE +SUSP_XMRIG_String;Detects a suspicious XMRIG crypto miner executable string in filr;Internal Research;2018-12-28 00:00:00;70;Florian Roth;EXE,FILE +GoldDragon_malware_Feb18_1;Detects malware from Gold Dragon report;https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/;2018-02-03 00:00:00;90;Florian Roth;EXE,CHINA,FILE GoldDragon_Aux_File;Detects export from Gold Dragon - February 2018;https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/;2018-02-03 00:00:00;90;Florian Roth;CHINA -GoldDragon_Ghost419_RAT;Detects Ghost419 RAT from Gold Dragon report;https://goo.gl/rW1yvZ;2018-02-03 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -GoldDragon_RunningRAT;Detects Running RAT from Gold Dragon report;https://goo.gl/rW1yvZ;2018-02-03 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -GoldDragon_RunnignRAT;Detects Running RAT malware from Gold Dragon report;https://goo.gl/rW1yvZ;2018-02-03 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -Unit78020_Malware_Gen1;Detects malware by Chinese APT PLA Unit 78020 - Generic Rule;http://threatconnect.com/camerashy/?utm_campaign=CameraShy;2015-09-24 00:00:00;70;Florian Roth;APT,EXE,CHINA,FILE,GEN,MAL -Unit78020_Malware_1;Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe;http://threatconnect.com/camerashy/?utm_campaign=CameraShy;2015-09-24 00:00:00;70;Florian Roth;APT,EXE,CHINA,FILE,MAL -Unit78020_Malware_Gen2;Detects malware by Chinese APT PLA Unit 78020 - Generic Rule;http://threatconnect.com/camerashy/?utm_campaign=CameraShy;2015-09-24 00:00:00;70;Florian Roth;APT,EXE,CHINA,FILE,GEN,MAL -Unit78020_Malware_Gen3;Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong;http://threatconnect.com/camerashy/?utm_campaign=CameraShy;2015-09-24 00:00:00;70;Florian Roth;APT,EXE,CHINA,FILE,GEN,MAL -SeDLL_Javascript_Decryptor;Detects SeDll - DLL is used for decrypting and executing another JavaScript backdoor such as Orz;https://goo.gl/MZ7dRg;2017-10-18 00:00:00;70;Florian Roth;MAL,FILE,EXE -Leviathan_CobaltStrike_Sample_1;Detects Cobalt Strike sample from Leviathan report;https://goo.gl/MZ7dRg;2017-10-18 00:00:00;70;Florian Roth;FILE,EXE -MockDll_Gen;Detects MockDll - regsvr DLL loader;https://goo.gl/MZ7dRg;2017-10-18 00:00:00;70;Florian Roth;FILE,EXE +GoldDragon_Ghost419_RAT;Detects Ghost419 RAT from Gold Dragon report;https://goo.gl/rW1yvZ;2018-02-03 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +GoldDragon_RunningRAT;Detects Running RAT from Gold Dragon report;https://goo.gl/rW1yvZ;2018-02-03 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +GoldDragon_RunnignRAT;Detects Running RAT malware from Gold Dragon report;https://goo.gl/rW1yvZ;2018-02-03 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +Unit78020_Malware_Gen1;Detects malware by Chinese APT PLA Unit 78020 - Generic Rule;http://threatconnect.com/camerashy/?utm_campaign=CameraShy;2015-09-24 00:00:00;70;Florian Roth;EXE,CHINA,MAL,GEN,APT,FILE +Unit78020_Malware_1;Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe;http://threatconnect.com/camerashy/?utm_campaign=CameraShy;2015-09-24 00:00:00;70;Florian Roth;EXE,CHINA,MAL,APT,FILE +Unit78020_Malware_Gen2;Detects malware by Chinese APT PLA Unit 78020 - Generic Rule;http://threatconnect.com/camerashy/?utm_campaign=CameraShy;2015-09-24 00:00:00;70;Florian Roth;EXE,CHINA,MAL,GEN,APT,FILE +Unit78020_Malware_Gen3;Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong;http://threatconnect.com/camerashy/?utm_campaign=CameraShy;2015-09-24 00:00:00;70;Florian Roth;EXE,CHINA,MAL,GEN,APT,FILE +SeDLL_Javascript_Decryptor;Detects SeDll - DLL is used for decrypting and executing another JavaScript backdoor such as Orz;https://goo.gl/MZ7dRg;2017-10-18 00:00:00;70;Florian Roth;MAL,EXE,FILE +Leviathan_CobaltStrike_Sample_1;Detects Cobalt Strike sample from Leviathan report;https://goo.gl/MZ7dRg;2017-10-18 00:00:00;70;Florian Roth;EXE,FILE +MockDll_Gen;Detects MockDll - regsvr DLL loader;https://goo.gl/MZ7dRg;2017-10-18 00:00:00;70;Florian Roth;EXE,FILE VBScript_Favicon_File;VBScript cloaked as Favicon file used in Leviathan incident;https://goo.gl/MZ7dRg;2017-10-18 00:00:00;70;Florian Roth;SCRIPT,FILE -PP_CN_APT_ZeroT_1;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;APT,FILE,EXE -PP_CN_APT_ZeroT_2;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;APT,FILE,EXE -PP_CN_APT_ZeroT_3;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;FILE,APT -PP_CN_APT_ZeroT_4;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;APT,FILE,EXE -PP_CN_APT_ZeroT_5;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;FILE,APT -PP_CN_APT_ZeroT_6;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;APT,FILE,EXE -PP_CN_APT_ZeroT_7;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;APT,FILE,EXE -PP_CN_APT_ZeroT_8;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;FILE,APT -PP_CN_APT_ZeroT_9;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;APT,FILE,EXE -CN_APT_ZeroT_nflogger;Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-04 00:00:00;70;Florian Roth;APT,EXE,CHINA,FILE,HKTL,MAL -CN_APT_ZeroT_extracted_Go;Chinese APT by Proofpoint ZeroT RAT - file Go.exe;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-04 00:00:00;70;Florian Roth;APT,EXE,CHINA,FILE,MAL -CN_APT_ZeroT_extracted_Mcutil;Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-04 00:00:00;70;Florian Roth;APT,EXE,CHINA,FILE,MAL -CN_APT_ZeroT_extracted_Zlh;Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-04 00:00:00;70;Florian Roth;APT,EXE,CHINA,FILE,MAL -Kriskynote_Mar17_1;Detects Kriskynote Malware;Internal Research;2017-03-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -Kriskynote_Mar17_2;Detects Kriskynote Malware;Internal Research;2017-03-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -Kriskynote_Mar17_3;Detects Kriskynote Malware;Internal Research;2017-03-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -Furtim_nativeDLL;Detects Furtim malware - file native.dll;MISP 3971;2016-06-13 00:00:00;70;Florian Roth;FILE,EXE -Furtim_Parent_1;Detects Furtim Parent Malware;https://sentinelone.com/blogs/sfg-furtims-parent/;2016-07-16 00:00:00;70;Florian Roth;MAL,FILE,EXE -Dubnium_Sample_1;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;FILE,EXE -Dubnium_Sample_2;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;FILE,EXE -Dubnium_Sample_3;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;FILE,EXE -Dubnium_Sample_5;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;FILE,EXE -Dubnium_Sample_6;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;FILE,EXE -Dubnium_Sample_7;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;FILE,EXE -Dubnium_Sample_SSHOpenSSL;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;FILE,EXE -MAL_DNSPIONAGE_Malware_Nov18;Detects DNSpionage Malware;https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html;2018-11-30 00:00:00;70;Florian Roth;MAL,FILE,EXE -ME_Campaign_Malware_1;Detects malware from Middle Eastern campaign reported by Talos;http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html;2018-02-07 00:00:00;70;Florian Roth;MAL,FILE,EXE -ME_Campaign_Malware_2;Detects malware from Middle Eastern campaign reported by Talos;http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html;2018-02-07 00:00:00;70;Florian Roth;MAL,FILE,EXE +PP_CN_APT_ZeroT_1;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;EXE,APT,FILE +PP_CN_APT_ZeroT_2;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;EXE,APT,FILE +PP_CN_APT_ZeroT_3;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;APT,FILE +PP_CN_APT_ZeroT_4;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;EXE,APT,FILE +PP_CN_APT_ZeroT_5;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;APT,FILE +PP_CN_APT_ZeroT_6;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;EXE,APT,FILE +PP_CN_APT_ZeroT_7;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;EXE,APT,FILE +PP_CN_APT_ZeroT_8;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;APT,FILE +PP_CN_APT_ZeroT_9;Detects malware from the Proofpoint CN APT ZeroT incident;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-03 00:00:00;70;Florian Roth;EXE,APT,FILE +CN_APT_ZeroT_nflogger;Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-04 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,MAL,APT,FILE +CN_APT_ZeroT_extracted_Go;Chinese APT by Proofpoint ZeroT RAT - file Go.exe;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-04 00:00:00;70;Florian Roth;EXE,CHINA,MAL,APT,FILE +CN_APT_ZeroT_extracted_Mcutil;Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-04 00:00:00;70;Florian Roth;EXE,CHINA,MAL,APT,FILE +CN_APT_ZeroT_extracted_Zlh;Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe;https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx;2017-02-04 00:00:00;70;Florian Roth;EXE,CHINA,MAL,APT,FILE +Kriskynote_Mar17_1;Detects Kriskynote Malware;Internal Research;2017-03-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +Kriskynote_Mar17_2;Detects Kriskynote Malware;Internal Research;2017-03-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +Kriskynote_Mar17_3;Detects Kriskynote Malware;Internal Research;2017-03-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +Furtim_nativeDLL;Detects Furtim malware - file native.dll;MISP 3971;2016-06-13 00:00:00;70;Florian Roth;EXE,FILE +Furtim_Parent_1;Detects Furtim Parent Malware;https://sentinelone.com/blogs/sfg-furtims-parent/;2016-07-16 00:00:00;70;Florian Roth;MAL,EXE,FILE +Dubnium_Sample_1;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;EXE,FILE +Dubnium_Sample_2;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;EXE,FILE +Dubnium_Sample_3;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;EXE,FILE +Dubnium_Sample_5;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;EXE,FILE +Dubnium_Sample_6;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;EXE,FILE +Dubnium_Sample_7;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;EXE,FILE +Dubnium_Sample_SSHOpenSSL;Detects sample mentioned in the Dubnium Report;https://goo.gl/AW9Cuu;2016-06-10 00:00:00;70;Florian Roth;EXE,FILE +MAL_DNSPIONAGE_Malware_Nov18;Detects DNSpionage Malware;https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html;2018-11-30 00:00:00;70;Florian Roth;MAL,EXE,FILE +ME_Campaign_Malware_1;Detects malware from Middle Eastern campaign reported by Talos;http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html;2018-02-07 00:00:00;70;Florian Roth;MAL,EXE,FILE +ME_Campaign_Malware_2;Detects malware from Middle Eastern campaign reported by Talos;http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html;2018-02-07 00:00:00;70;Florian Roth;MAL,EXE,FILE ME_Campaign_Malware_3;Detects malware from Middle Eastern campaign reported by Talos;http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html;2018-02-07 00:00:00;70;Florian Roth;MAL,FILE -ME_Campaign_Malware_4;Detects malware from Middle Eastern campaign reported by Talos;http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html;2018-02-07 00:00:00;70;Florian Roth;MAL,FILE,EXE -ME_Campaign_Malware_5;Detects malware from Middle Eastern campaign reported by Talos;http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html;2018-02-07 00:00:00;70;Florian Roth;MAL,FILE,EXE -Indetectables_RAT;Detects Indetectables RAT based on strings found in research by Paul Rascagneres & Ronan Mouchoux;http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/;2015-10-01 00:00:00;70;Florian Roth;MAL,FILE,EXE -BergSilva_Malware;Detects a malware from the same author as the Indetectables RAT;-;2015-10-01 00:00:00;70;Florian Roth;MAL,FILE,EXE -TeleBots_IntercepterNG;Detects TeleBots malware - IntercepterNG;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;FILE,EXE -TeleBots_KillDisk_1;Detects TeleBots malware - KillDisk;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;FILE,EXE -TeleBots_KillDisk_2;Detects TeleBots malware - KillDisk;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;FILE,EXE -TeleBots_CredRaptor_Password_Stealer;Detects TeleBots malware - CredRaptor Password Stealer;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;MAL,FILE,EXE -TeleBots_VBS_Backdoor_1;Detects TeleBots malware - VBS Backdoor;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;SCRIPT,MAL,FILE -TeleBots_VBS_Backdoor_2;Detects TeleBots malware - VBS Backdoor;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;SCRIPT,MAL,FILE -TeleBots_Win64_Spy_KeyLogger_G;Detects TeleBots malware - Win64 Spy KeyLogger G;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;FILE,EXE -CoreImpact_sysdll_exe;Detects a malware sysdll.exe from the Rocket Kitten APT;-;2014-12-27 00:00:00;70;Florian Roth;MIDDLE_EAST,APT -Ping_Command_in_EXE;Detects an suspicious ping command execution in an executable;Internal Research;2016-11-03 00:00:00;60;Florian Roth;FILE,EXE -GoogleBot_UserAgent;Detects the GoogleBot UserAgent String in an Executable;Internal Research;2017-01-27 00:00:00;65;Florian Roth;FILE,EXE -Gen_Net_LocalGroup_Administrators_Add_Command;Detects an executable that contains a command to add a user account to the local administrators group;Internal Research;2017-07-08 00:00:00;70;Florian Roth;FILE,EXE +ME_Campaign_Malware_4;Detects malware from Middle Eastern campaign reported by Talos;http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html;2018-02-07 00:00:00;70;Florian Roth;MAL,EXE,FILE +ME_Campaign_Malware_5;Detects malware from Middle Eastern campaign reported by Talos;http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html;2018-02-07 00:00:00;70;Florian Roth;MAL,EXE,FILE +Indetectables_RAT;Detects Indetectables RAT based on strings found in research by Paul Rascagneres & Ronan Mouchoux;http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/;2015-10-01 00:00:00;70;Florian Roth;MAL,EXE,FILE +BergSilva_Malware;Detects a malware from the same author as the Indetectables RAT;-;2015-10-01 00:00:00;70;Florian Roth;MAL,EXE,FILE +TeleBots_IntercepterNG;Detects TeleBots malware - IntercepterNG;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;EXE,FILE +TeleBots_KillDisk_1;Detects TeleBots malware - KillDisk;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;EXE,FILE +TeleBots_KillDisk_2;Detects TeleBots malware - KillDisk;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;EXE,FILE +TeleBots_CredRaptor_Password_Stealer;Detects TeleBots malware - CredRaptor Password Stealer;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;MAL,EXE,FILE +TeleBots_VBS_Backdoor_1;Detects TeleBots malware - VBS Backdoor;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;MAL,SCRIPT,FILE +TeleBots_VBS_Backdoor_2;Detects TeleBots malware - VBS Backdoor;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;MAL,SCRIPT,FILE +TeleBots_Win64_Spy_KeyLogger_G;Detects TeleBots malware - Win64 Spy KeyLogger G;https://goo.gl/4if3HG;2016-12-14 00:00:00;70;Florian Roth;EXE,FILE +CoreImpact_sysdll_exe;Detects a malware sysdll.exe from the Rocket Kitten APT;-;2014-12-27 00:00:00;70;Florian Roth;APT,MIDDLE_EAST +Ping_Command_in_EXE;Detects an suspicious ping command execution in an executable;Internal Research;2016-11-03 00:00:00;60;Florian Roth;EXE,FILE +GoogleBot_UserAgent;Detects the GoogleBot UserAgent String in an Executable;Internal Research;2017-01-27 00:00:00;65;Florian Roth;EXE,FILE +Gen_Net_LocalGroup_Administrators_Add_Command;Detects an executable that contains a command to add a user account to the local administrators group;Internal Research;2017-07-08 00:00:00;70;Florian Roth;EXE,FILE Suspicious_Script_Running_from_HTTP;Detects a suspicious ;https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100;2017-08-20 00:00:00;50;Florian Roth; ReconCommands_in_File;Detects various recon commands in a single file;https://twitter.com/haroonmeer/status/939099379834658817;2017-12-11 00:00:00;40;Florian Roth; VBS_dropper_script_Dec17_1;Detects a supicious VBS script that drops an executable;Internal Research;2018-01-01 00:00:00;80;Florian Roth;SCRIPT -SUSP_PDB_Strings_Keylogger_Backdoor;Detects PDB strings used in backdoors or keyloggers;Internal Research;2018-03-23 00:00:00;65;Florian Roth;HKTL,MAL,FILE,EXE -SUSP_Microsoft_Copyright_String_Anomaly_2;Detects Floxif Malware;Internal Research;2018-05-11 00:00:00;60;Florian Roth;MAL,FILE,EXE +SUSP_PDB_Strings_Keylogger_Backdoor;Detects PDB strings used in backdoors or keyloggers;Internal Research;2018-03-23 00:00:00;65;Florian Roth;MAL,EXE,HKTL,FILE +SUSP_Microsoft_Copyright_String_Anomaly_2;Detects Floxif Malware;Internal Research;2018-05-11 00:00:00;60;Florian Roth;MAL,EXE,FILE SUSP_LNK_File_AppData_Roaming;Detects a suspicious link file that references to AppData Roaming;https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html;2018-05-16 00:00:00;50;Florian Roth;FILE SUSP_LNK_File_PathTraversal;Detects a suspicious link file that references a file multiple folders lower than the link itself;https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html;2018-05-16 00:00:00;40;Florian Roth;FILE SUSP_Script_Obfuscation_Char_Concat;Detects strings found in sample from CN group repo leak in October 2018;https://twitter.com/JaromirHorejsi/status/1047084277920411648;2018-10-04 00:00:00;70;Florian Roth;OBFUS SUSP_PowerShell_IEX_Download_Combo;Detects strings found in sample from CN group repo leak in October 2018;https://twitter.com/JaromirHorejsi/status/1047084277920411648;2018-10-04 00:00:00;70;Florian Roth;SCRIPT SUSP_Win32dll_String;Detects suspicious string in executables;https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739;2018-10-24 00:00:00;70;Florian Roth; -SUSP_Modified_SystemExeFileName_in_File;Detecst a variant of a system file name often used by attackers to cloak their activity;https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group;2018-12-11 00:00:00;65;Florian Roth;FILE,EXE +SUSP_Modified_SystemExeFileName_in_File;Detecst a variant of a system file name often used by attackers to cloak their activity;https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group;2018-12-11 00:00:00;65;Florian Roth;EXE,FILE SUSP_JAVA_Class_with_VBS_Content;Detects a JAVA class file with strings known from VBS files;https://www.menlosecurity.com/blog/a-jar-full-of-problems-for-financial-services-companies;2019-01-03 00:00:00;60;Florian Roth;SCRIPT,FILE -Unspecified_Malware_Sep1_A1;Detects malware from DrqgonFly APT report;https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group;2017-09-12 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -DragonFly_APT_Sep17_1;Detects malware from DrqgonFly APT report;https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group;2017-09-12 00:00:00;70;Florian Roth;APT,FILE,EXE -DragonFly_APT_Sep17_2;Detects malware from DrqgonFly APT report;https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group;2017-09-12 00:00:00;70;Florian Roth;APT,FILE,EXE -DragonFly_APT_Sep17_3;Detects malware from DrqgonFly APT report;https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group;2017-09-12 00:00:00;70;Florian Roth;APT,FILE,EXE -DragonFly_APT_Sep17_4;Detects malware from DrqgonFly APT report;https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group;2017-09-12 00:00:00;70;Florian Roth;APT,FILE,EXE -Silence_malware_1;Detects malware sample mentioned in the Silence report on Securelist;https://securelist.com/the-silence/83009/;2017-11-01 00:00:00;70;Florian Roth;FILE,EXE -Silence_malware_2;Detects malware sample mentioned in the Silence report on Securelist;https://securelist.com/the-silence/83009/;2017-11-01 00:00:00;70;Florian Roth;FILE,EXE -APT_APT28_Cannon_Trojan_Nov18_1;Detects Cannon Trojan used by Sofacy;https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/;2018-11-20 00:00:00;70;Florian Roth;RUSSIA,MAL,FILE,EXE -PHISH_02Dez2015_dropped_p0o6543f_1;Phishing Wave - file p0o6543f.exe;http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/;2015-12-02 00:00:00;70;Florian Roth;FILE,EXE -PHISH_02Dez2015_dropped_p0o6543f_2;Phishing Wave used MineExplorer Game by WangLei - file p0o6543f.exe.4;http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/;2015-12-03 00:00:00;70;Florian Roth;FILE,EXE +Unspecified_Malware_Sep1_A1;Detects malware from DrqgonFly APT report;https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group;2017-09-12 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +DragonFly_APT_Sep17_1;Detects malware from DrqgonFly APT report;https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group;2017-09-12 00:00:00;70;Florian Roth;EXE,APT,FILE +DragonFly_APT_Sep17_2;Detects malware from DrqgonFly APT report;https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group;2017-09-12 00:00:00;70;Florian Roth;EXE,APT,FILE +DragonFly_APT_Sep17_3;Detects malware from DrqgonFly APT report;https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group;2017-09-12 00:00:00;70;Florian Roth;EXE,APT,FILE +DragonFly_APT_Sep17_4;Detects malware from DrqgonFly APT report;https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group;2017-09-12 00:00:00;70;Florian Roth;EXE,APT,FILE +Silence_malware_1;Detects malware sample mentioned in the Silence report on Securelist;https://securelist.com/the-silence/83009/;2017-11-01 00:00:00;70;Florian Roth;EXE,FILE +Silence_malware_2;Detects malware sample mentioned in the Silence report on Securelist;https://securelist.com/the-silence/83009/;2017-11-01 00:00:00;70;Florian Roth;EXE,FILE +APT_APT28_Cannon_Trojan_Nov18_1;Detects Cannon Trojan used by Sofacy;https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/;2018-11-20 00:00:00;70;Florian Roth;MAL,EXE,RUSSIA,FILE +PHISH_02Dez2015_dropped_p0o6543f_1;Phishing Wave - file p0o6543f.exe;http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/;2015-12-02 00:00:00;70;Florian Roth;EXE,FILE +PHISH_02Dez2015_dropped_p0o6543f_2;Phishing Wave used MineExplorer Game by WangLei - file p0o6543f.exe.4;http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/;2015-12-03 00:00:00;70;Florian Roth;EXE,FILE PHISH_02Dez2015_attach_P_ORD_C_10156_124658;Phishing Wave - file P-ORD-C-10156-124658.xls;http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/;2015-12-02 00:00:00;70;Florian Roth;FILE derusbi_kernel;Derusbi Driver version;-;2015-12-09 00:00:00;70;Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud;FILE derusbi_linux;Derusbi Server Linux version;-;2015-12-09 00:00:00;70;Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud;LINUX -Derusbi_Kernel_Driver_WD_UDFS;Detects Derusbi Kernel Driver;http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family;2015-12-15 00:00:00;80;Florian Roth;FILE,EXE -Derusbi_Code_Signing_Cert;Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious;http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family;2015-12-15 00:00:00;60;Florian Roth;MAL,FILE,EXE -XOR_4byte_Key;Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan);http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family;2015-12-15 00:00:00;60;Florian Roth;MAL,FILE,EXE -Derusbi_Backdoor_Mar17_1;Detects a variant of the Derusbi backdoor;Internal Research;2017-03-03 00:00:00;70;Florian Roth;MAL,FILE,EXE +Derusbi_Kernel_Driver_WD_UDFS;Detects Derusbi Kernel Driver;http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family;2015-12-15 00:00:00;80;Florian Roth;EXE,FILE +Derusbi_Code_Signing_Cert;Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious;http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family;2015-12-15 00:00:00;60;Florian Roth;MAL,EXE,FILE +XOR_4byte_Key;Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan);http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family;2015-12-15 00:00:00;60;Florian Roth;MAL,EXE,FILE +Derusbi_Backdoor_Mar17_1;Detects a variant of the Derusbi backdoor;Internal Research;2017-03-03 00:00:00;70;Florian Roth;MAL,EXE,FILE Reveal_MemoryCredentials;Auto-generated rule - file Reveal-MemoryCredentials.ps1;https://github.com/giMini/RWMC/;2015-08-31 00:00:00;70;Florian Roth; -MiniDumpTest_msdsc;Auto-generated rule - file msdsc.exe;https://github.com/giMini/RWMC/;2015-08-31 00:00:00;70;Florian Roth;FILE,EXE -ChinaChopper_Generic;China Chopper Webshells - PHP and ASPX;https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf;2015-03-10 00:00:00;70;Florian Roth;CHINA,WEBSHELL -APT_CobaltStrike_Beacon_Indicator;Detects CobaltStrike beacons;https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py;2018-11-09 00:00:00;70;JPCERT;FILE,EXE -WinAgent_BadPatch_1;Detects samples mentioned in BadPatch report;https://goo.gl/RvDwwA;2017-10-20 00:00:00;70;Florian Roth;FILE,EXE -WinAgent_BadPatch_2;Detects samples mentioned in BadPatch report;https://goo.gl/RvDwwA;2017-10-20 00:00:00;70;Florian Roth;FILE,EXE -SnakeTurla_Malware_May17_1;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;MAL,FILE,RUSSIA -SnakeTurla_Malware_May17_2;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;MAL,FILE,RUSSIA -SnakeTurla_Malware_May17_3;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;MAL,FILE,RUSSIA -SnakeTurla_Malware_May17_4;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;MAL,FILE,RUSSIA -SnakeTurla_Installd_SH;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;FILE,RUSSIA -SnakeTurla_Install_SH;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;FILE,RUSSIA -APT28_HospitalityMalware_document;Yara Rule for APT28_Hospitality_Malware document identification;http://csecybsec.com/download/zlab/APT28_Hospitality_Malware_report.pdf;1970-01-01 01:00:00;70;CSE CybSec Enterprise - Z-Lab;RUSSIA,MAL,APT +MiniDumpTest_msdsc;Auto-generated rule - file msdsc.exe;https://github.com/giMini/RWMC/;2015-08-31 00:00:00;70;Florian Roth;EXE,FILE +ChinaChopper_Generic;China Chopper Webshells - PHP and ASPX;https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf;2015-03-10 00:00:00;70;Florian Roth;WEBSHELL,CHINA +APT_CobaltStrike_Beacon_Indicator;Detects CobaltStrike beacons;https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py;2018-11-09 00:00:00;70;JPCERT;EXE,FILE +WinAgent_BadPatch_1;Detects samples mentioned in BadPatch report;https://goo.gl/RvDwwA;2017-10-20 00:00:00;70;Florian Roth;EXE,FILE +WinAgent_BadPatch_2;Detects samples mentioned in BadPatch report;https://goo.gl/RvDwwA;2017-10-20 00:00:00;70;Florian Roth;EXE,FILE +SnakeTurla_Malware_May17_1;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;MAL,RUSSIA,FILE +SnakeTurla_Malware_May17_2;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;MAL,RUSSIA,FILE +SnakeTurla_Malware_May17_3;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;MAL,RUSSIA,FILE +SnakeTurla_Malware_May17_4;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;MAL,RUSSIA,FILE +SnakeTurla_Installd_SH;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;RUSSIA,FILE +SnakeTurla_Install_SH;Detects Snake / Turla Sample;https://goo.gl/QaOh4V;2017-05-04 00:00:00;70;Florian Roth;RUSSIA,FILE +APT28_HospitalityMalware_document;Yara Rule for APT28_Hospitality_Malware document identification;http://csecybsec.com/download/zlab/APT28_Hospitality_Malware_report.pdf;1970-01-01 01:00:00;70;CSE CybSec Enterprise - Z-Lab;MAL,APT,RUSSIA APT28_HospitalityMalware_mvtband_file;Yara Rule for mvtband.dll malware;http://csecybsec.com/download/zlab/APT28_Hospitality_Malware_report.pdf;1970-01-01 01:00:00;70;CSE CybSec Enterprise - Z-Lab;EXTVAR APT_DonotTeam_YTYframework;Modular malware framework with similarities to EHDevel;arbornetworks.com/blog/asert/don;2018-08-03 00:00:00;70;James E.C, ProofPoint;FILE DeviceGuard_WDS_Evasion;Detects WDS file used to circumvent Device Guard;http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html;1970-01-01 01:00:00;80;Florian Roth; -BronzeButler_Daserf_Delphi_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;FILE,EXE -BronzeButler_Daserf_C_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;FILE,EXE -BronzeButler_DGet_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;FILE,EXE -BronzeButler_UACBypass_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;FILE,EXE -BronzeButler_xxmm_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;FILE,EXE -BronzeButler_RarStar_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;FILE,EXE -Daserf_Nov1_BronzeButler;Detects Daserf malware used by Bronze Butler;https://goo.gl/ffeCfd;2017-11-08 00:00:00;70;Florian Roth;FILE,EXE +BronzeButler_Daserf_Delphi_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;EXE,FILE +BronzeButler_Daserf_C_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;EXE,FILE +BronzeButler_DGet_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;EXE,FILE +BronzeButler_UACBypass_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;EXE,FILE +BronzeButler_xxmm_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;EXE,FILE +BronzeButler_RarStar_1;Detects malware / hacktool sample from Bronze Butler incident;https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses;2017-10-14 00:00:00;70;Florian Roth;EXE,FILE +Daserf_Nov1_BronzeButler;Detects Daserf malware used by Bronze Butler;https://goo.gl/ffeCfd;2017-11-08 00:00:00;70;Florian Roth;EXE,FILE TRITON_ICS_FRAMEWORK;TRITON framework recovered during Mandiant ICS incident response;https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html;1970-01-01 01:00:00;70;nicholas.carr @itsreallynick; -Triton_trilog;Detects Triton APT malware - file trilog.exe;https://goo.gl/vtQoCQ;2017-12-14 00:00:00;70;Florian Roth;APT,FILE,EXE -SharpCat;Detects command shell SharpCat - file SharpCat.exe;https://github.com/Cn33liz/SharpCat;2016-06-10 00:00:00;70;Florian Roth;FILE,EXE -Pirpi_1609_A;Detects Pirpi Backdoor - and other malware (generic rule);http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;MAL,FILE,EXE -Pirpi_1609_B;Detects Pirpi Backdoor;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;MAL,FILE,EXE +Triton_trilog;Detects Triton APT malware - file trilog.exe;https://goo.gl/vtQoCQ;2017-12-14 00:00:00;70;Florian Roth;EXE,APT,FILE +SharpCat;Detects command shell SharpCat - file SharpCat.exe;https://github.com/Cn33liz/SharpCat;2016-06-10 00:00:00;70;Florian Roth;EXE,FILE +Pirpi_1609_A;Detects Pirpi Backdoor - and other malware (generic rule);http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;MAL,EXE,FILE +Pirpi_1609_B;Detects Pirpi Backdoor;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;MAL,EXE,FILE Invoke_OSiRis;Osiris Device Guard Bypass - file Invoke-OSiRis.ps1;Internal Research;2017-03-27 00:00:00;70;Florian Roth; -Persistence_Agent_MacOS;Detects a Python agent that establishes persistence on macOS;https://ghostbin.com/paste/mz5nf;1970-01-01 01:00:00;70;John Lambert @JohnLaTwC;SCRIPT,MACOS -CloudDuke_Malware;Detects CloudDuke Malware;https://www.f-secure.com/weblog/archives/00002822.html;2015-07-22 00:00:00;60;Florian Roth;RUSSIA,MAL,FILE,EXE -SFXRAR_Acrotray;Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe;https://www.f-secure.com/weblog/archives/00002822.html;2015-07-22 00:00:00;70;Florian Roth;RUSSIA,APT,FILE,EXE -MAL_Envrial_Jan18_1;Detects Encrial credential stealer malware;https://twitter.com/malwrhunterteam/status/953313514629853184;2018-01-21 00:00:00;70;Florian Roth;FILE,EXE +Persistence_Agent_MacOS;Detects a Python agent that establishes persistence on macOS;https://ghostbin.com/paste/mz5nf;1970-01-01 01:00:00;70;John Lambert @JohnLaTwC;MACOS,SCRIPT +CloudDuke_Malware;Detects CloudDuke Malware;https://www.f-secure.com/weblog/archives/00002822.html;2015-07-22 00:00:00;60;Florian Roth;MAL,EXE,RUSSIA,FILE +SFXRAR_Acrotray;Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe;https://www.f-secure.com/weblog/archives/00002822.html;2015-07-22 00:00:00;70;Florian Roth;EXE,APT,RUSSIA,FILE +MAL_Envrial_Jan18_1;Detects Encrial credential stealer malware;https://twitter.com/malwrhunterteam/status/953313514629853184;2018-01-21 00:00:00;70;Florian Roth;EXE,FILE apt_equation_exploitlib_mutexes;Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW;http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/;1970-01-01 01:00:00;70;-; apt_equation_doublefantasy_genericresource;Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW;http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/;1970-01-01 01:00:00;70;-; apt_equation_equationlaser_runtimeclasses;Rule to detect the EquationLaser malware;https://securelist.com/blog/;1970-01-01 01:00:00;70;-; apt_equation_cryptotable;Rule to detect the crypto library used in Equation group malware;https://securelist.com/blog/;1970-01-01 01:00:00;70;-; Equation_Kaspersky_TripleFantasy_1;Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW;http://goo.gl/ivt8EW;2015-02-16 00:00:00;70;Florian Roth;MAL Equation_Kaspersky_DoubleFantasy_1;Equation Group Malware - DoubleFantasy;http://goo.gl/ivt8EW;2015-02-16 00:00:00;70;Florian Roth;MAL -Equation_Kaspersky_GROK_Keylogger;Equation Group Malware - GROK keylogger;http://goo.gl/ivt8EW;2015-02-16 00:00:00;70;Florian Roth;HKTL,MAL +Equation_Kaspersky_GROK_Keylogger;Equation Group Malware - GROK keylogger;http://goo.gl/ivt8EW;2015-02-16 00:00:00;70;Florian Roth;MAL,HKTL Equation_Kaspersky_GreyFishInstaller;Equation Group Malware - Grey Fish;http://goo.gl/ivt8EW;2015-02-16 00:00:00;70;Florian Roth;MAL Equation_Kaspersky_EquationDrugInstaller;Equation Group Malware - EquationDrug installer LUTEUSOBSTOS;http://goo.gl/ivt8EW;2015-02-16 00:00:00;70;Florian Roth;MAL Equation_Kaspersky_EquationLaserInstaller;Equation Group Malware - EquationLaser Installer;http://goo.gl/ivt8EW;2015-02-16 00:00:00;70;Florian Roth;MAL @@ -257,74 +257,74 @@ EquationDrug_NetworkSniffer4;EquationDrug - Network-sniffer/patcher - atmdkdrv.s EquationDrug_PlatformOrchestrator;EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll;http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/;2015-03-11 00:00:00;70;Florian Roth @4nc4p; EquationDrug_NetworkSniffer5;EquationDrug - Network-sniffer/patcher - atmdkdrv.sys;http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/;2015-03-11 00:00:00;70;Florian Roth @4nc4p; EquationDrug_FileSystem_Filter;EquationDrug - Filesystem filter driver - volrec.sys, scsi2mgr.sys;http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/;2015-03-11 00:00:00;70;Florian Roth @4nc4p; -apt_equation_keyword;Rule to detect Equation group's keyword in executable file;http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/;1970-01-01 01:00:00;70;-;FILE,EXE +apt_equation_keyword;Rule to detect Equation group's keyword in executable file;http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/;1970-01-01 01:00:00;70;-;EXE,FILE MAL_RTF_Embedded_OLE_PE;Detects a suspicious string often used in PE files in a hex encoded object stream;https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/;2018-01-22 00:00:00;70;Florian Roth;FILE -CVE_2015_1674_CNGSYS;Detects exploits for CVE-2015-1674;http://www.binvul.com/viewthread.php?tid=508;2015-05-14 00:00:00;70;Florian Roth;FILE,EXE,EXPLOIT +CVE_2015_1674_CNGSYS;Detects exploits for CVE-2015-1674;http://www.binvul.com/viewthread.php?tid=508;2015-05-14 00:00:00;70;Florian Roth;EXE,EXPLOIT,FILE Gazer_certificate_subject;Detects Tura's Gazer malware;https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/;2017-08-30 00:00:00;70;ESET;EXTVAR -Gazer_certificate;Detects Tura's Gazer malware;https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/;2017-08-30 00:00:00;70;ESET;FILE,EXE -Gazer_logfile_name;Detects Tura's Gazer malware;https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/;2017-08-30 00:00:00;70;ESET;FILE,EXE -Exploit_MS15_077_078;MS15-078 / MS15-077 exploit - generic signature;https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200;2015-07-21 00:00:00;70;Florian Roth;FILE,EXE -Exploit_MS15_077_078_HackingTeam;MS15-078 / MS15-077 exploit - Hacking Team code;-;2015-07-21 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_1;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_2;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_3;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_4;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_6;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_7;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_8;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_10;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE +Gazer_certificate;Detects Tura's Gazer malware;https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/;2017-08-30 00:00:00;70;ESET;EXE,FILE +Gazer_logfile_name;Detects Tura's Gazer malware;https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/;2017-08-30 00:00:00;70;ESET;EXE,FILE +Exploit_MS15_077_078;MS15-078 / MS15-077 exploit - generic signature;https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200;2015-07-21 00:00:00;70;Florian Roth;EXE,FILE +Exploit_MS15_077_078_HackingTeam;MS15-078 / MS15-077 exploit - Hacking Team code;-;2015-07-21 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_1;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_2;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_3;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_4;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_6;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_7;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_8;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_10;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE MAL_BurningUmbrella_Sample_11;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE -MAL_BurningUmbrella_Sample_12;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_13;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_14;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_15;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_16;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_17;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_18;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_19;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_20;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_21;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_BurningUmbrella_Sample_22;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -MAL_AirdViper_Sample_Apr18_1;Detects Arid Viper malware sample;Internal Research;2018-05-04 00:00:00;70;Florian Roth;MIDDLE_EAST,FILE,EXE -MAL_Winnti_Sample_May18_1;Detects malware sample from Burning Umbrella report - Generic Winnti Rule;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;GEN,CHINA,FILE,EXE -MAL_Visel_Sample_May18_1;Detects Visel malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;FILE,EXE -xRAT_1;Detects Patchwork malware;https://goo.gl/Pg3P4W;2017-12-11 00:00:00;70;Florian Roth;FILE,EXE +MAL_BurningUmbrella_Sample_12;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_13;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_14;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_15;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_16;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_17;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_18;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_19;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_20;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_21;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_BurningUmbrella_Sample_22;Detects malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +MAL_AirdViper_Sample_Apr18_1;Detects Arid Viper malware sample;Internal Research;2018-05-04 00:00:00;70;Florian Roth;EXE,MIDDLE_EAST,FILE +MAL_Winnti_Sample_May18_1;Detects malware sample from Burning Umbrella report - Generic Winnti Rule;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;GEN,EXE,CHINA,FILE +MAL_Visel_Sample_May18_1;Detects Visel malware sample from Burning Umbrella report;https://401trg.pw/burning-umbrella/;2018-05-04 00:00:00;70;Florian Roth;EXE,FILE +xRAT_1;Detects Patchwork malware;https://goo.gl/Pg3P4W;2017-12-11 00:00:00;70;Florian Roth;EXE,FILE mimikatz_kirbi_ticket;KiRBi ticket for mimikatz;-;1970-01-01 01:00:00;70;Benjamin DELPY (gentilkiwi); Prikormka;Operation Groundbait;-;1970-01-01 01:00:00;70;Anton Cherepanov;EXTVAR -xDedic_SysScan_unpacked;Detects SysScan APT tool;https://securelist.com/blog/research/75027/xdedic-the-shady-world-of-hacked-servers-for-sale/;2016-03-14 00:00:00;70; Kaspersky Lab;FILE,APT +xDedic_SysScan_unpacked;Detects SysScan APT tool;https://securelist.com/blog/research/75027/xdedic-the-shady-world-of-hacked-servers-for-sale/;2016-03-14 00:00:00;70; Kaspersky Lab;APT,FILE xdedic_packed_syscan;-;-;1970-01-01 01:00:00;70;Kaspersky Lab - modified by Florian Roth;FILE -Chafer_Mimikatz_Custom;Detects Custom Mimikatz Version;https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf;2018-03-22 00:00:00;70;Florian Roth / Markus Neis;FILE,EXE -Chafer_Exploit_Copyright_2017;Detects Oilrig Internet Server Extension with Copyright (C) 2017 Exploit;https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf;2018-03-22 00:00:00;70;Markus Neis;FILE,EXE -Chafer_Portscanner;Detects Custom Portscanner used by Oilrig;https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf;2018-03-22 00:00:00;70;Markus Neis;FILE,EXE -Oilrig_Myrtille;Detects Oilrig Myrtille RDP Browser;https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf;2018-03-22 00:00:00;70;Markus Neis;FILE,EXE -Chafer_Packed_Mimikatz;Detects Oilrig Packed Mimikatz also detected as Chafer_WSC_x64 by FR;https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf;2018-03-22 00:00:00;70;Florian Roth / Markus Neis;MIDDLE_EAST,FILE,EXE +Chafer_Mimikatz_Custom;Detects Custom Mimikatz Version;https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf;2018-03-22 00:00:00;70;Florian Roth / Markus Neis;EXE,FILE +Chafer_Exploit_Copyright_2017;Detects Oilrig Internet Server Extension with Copyright (C) 2017 Exploit;https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf;2018-03-22 00:00:00;70;Markus Neis;EXE,FILE +Chafer_Portscanner;Detects Custom Portscanner used by Oilrig;https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf;2018-03-22 00:00:00;70;Markus Neis;EXE,FILE +Oilrig_Myrtille;Detects Oilrig Myrtille RDP Browser;https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf;2018-03-22 00:00:00;70;Markus Neis;EXE,FILE +Chafer_Packed_Mimikatz;Detects Oilrig Packed Mimikatz also detected as Chafer_WSC_x64 by FR;https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf;2018-03-22 00:00:00;70;Florian Roth / Markus Neis;EXE,MIDDLE_EAST,FILE Oilrig_PS_CnC;Powershell CnC using DNS queries;https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf;2018-03-22 00:00:00;70;Markus Neis; -RocketKitten_Keylogger;Detects Keylogger used in Rocket Kitten APT;https://goo.gl/SjQhlp;2015-09-01 00:00:00;70;Florian Roth;MIDDLE_EAST,APT,EXE,FILE,HKTL -ZxShell_Related_Malware_CN_Group_Jul17_1;Detects a ZxShell related sample from a CN threat group;https://blogs.rsa.com/cat-phishing/;2017-07-08 00:00:00;70;Florian Roth;MAL,FILE,EXE -ZxShell_Related_Malware_CN_Group_Jul17_2;Detects a ZxShell related sample from a CN threat group;https://blogs.rsa.com/cat-phishing/;2017-07-08 00:00:00;70;Florian Roth;MAL,FILE,EXE -ZxShell_Related_Malware_CN_Group_Jul17_3;Detects a ZxShell related sample from a CN threat group;https://blogs.rsa.com/cat-phishing/;2017-07-08 00:00:00;70;Florian Roth;MAL,FILE,EXE +RocketKitten_Keylogger;Detects Keylogger used in Rocket Kitten APT;https://goo.gl/SjQhlp;2015-09-01 00:00:00;70;Florian Roth;EXE,HKTL,APT,MIDDLE_EAST,FILE +ZxShell_Related_Malware_CN_Group_Jul17_1;Detects a ZxShell related sample from a CN threat group;https://blogs.rsa.com/cat-phishing/;2017-07-08 00:00:00;70;Florian Roth;MAL,EXE,FILE +ZxShell_Related_Malware_CN_Group_Jul17_2;Detects a ZxShell related sample from a CN threat group;https://blogs.rsa.com/cat-phishing/;2017-07-08 00:00:00;70;Florian Roth;MAL,EXE,FILE +ZxShell_Related_Malware_CN_Group_Jul17_3;Detects a ZxShell related sample from a CN threat group;https://blogs.rsa.com/cat-phishing/;2017-07-08 00:00:00;70;Florian Roth;MAL,EXE,FILE ZxShell_Jul17;Detects a ZxShell - CN threat group;https://blogs.rsa.com/cat-phishing/;2017-07-08 00:00:00;70;Florian Roth; -ZXshell_20171211_chrsben;Detects ZxShell variant surfaced in Dec 17;https://goo.gl/snc85M;2017-12-11 00:00:00;70;Florian Roth;FILE,EXE -CVE_2015_1701_Taihou;CVE-2015-1701 compiled exploit code;http://goo.gl/W4nU0q;2015-05-13 00:00:00;70;Florian Roth;FILE,EXE,EXPLOIT -FakeM_Generic;Detects FakeM malware samples;http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/;2016-01-25 00:00:00;85;Florian Roth;FILE,EXE -Apolmy_Privesc_Trojan;Apolmy Privilege Escalation Trojan used in APT Terracotta;https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/;2015-08-04 00:00:00;80;Florian Roth;MAL,APT,FILE,EXE -Mithozhan_Trojan;Mitozhan Trojan used in APT Terracotta;https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/;2015-08-04 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -RemoteExec_Tool;Remote Access Tool used in APT Terracotta;https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/;2015-08-04 00:00:00;70;Florian Roth;APT,FILE,EXE -LiuDoor_Malware_1;Liudoor Trojan used in Terracotta APT;https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/;2015-08-04 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -LiuDoor_Malware_2;Liudoor Trojan used in Terracotta APT;https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/;2015-08-04 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -IceFog_Malware_Feb18_1;Detects IceFog malware;https://twitter.com/ClearskySec/status/968104465818669057;2018-02-26 00:00:00;70;Florian Roth;MAL,FILE,EXE -SUSP_SFX_RunProgram_WScript;Detects suspicious SFX as used by Gamaredon group;Internal Research;2018-09-27 00:00:00;70;Florian Roth;FILE,EXE -Gen_Trojan_Mikey;Trojan Mikey - file sample_mikey.exe;-;2015-05-07 00:00:00;70;Florian Roth;MAL,FILE,EXE -WannaCry_Ransomware;Detects WannaCry Ransomware;https://goo.gl/HG2j5T;2017-05-12 00:00:00;70;Florian Roth (with the help of binar.ly);EXE,RANSOM,CRIME,FILE,MAL -WannaCry_Ransomware_Gen;Detects WannaCry Ransomware;https://www.us-cert.gov/ncas/alerts/TA17-132A;2017-05-12 00:00:00;70;Florian Roth (based on rule by US CERT);EXE,RANSOM,CRIME,FILE,MAL -WannCry_m_vbs;Detects WannaCry Ransomware VBS;https://goo.gl/HG2j5T;2017-05-12 00:00:00;70;Florian Roth;SCRIPT,RANSOM,CRIME,FILE,MAL -WannCry_BAT;Detects WannaCry Ransomware BATCH File;https://goo.gl/HG2j5T;2017-05-12 00:00:00;70;Florian Roth;CRIME,RANSOM,MAL,FILE -WannaCry_RansomNote;Detects WannaCry Ransomware Note;https://goo.gl/HG2j5T;2017-05-12 00:00:00;70;Florian Roth;CRIME,RANSOM,MAL,FILE -lazaruswannacry;Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta;https://twitter.com/neelmehta/status/864164081116225536;2017-05-15 00:00:00;70;Costin G. Raiu, Kaspersky Lab;NK,RANSOM,MAL,FILE -MAL_ELF_VPNFilter_1;Detects VPNFilter malware;Internal Research;2018-05-24 00:00:00;70;Florian Roth;FILE,LINUX -MAL_ELF_VPNFilter_2;Detects VPNFilter malware;Internal Research;2018-05-24 00:00:00;70;Florian Roth;FILE,LINUX -MAL_ELF_VPNFilter_3;Detects VPNFilter malware;Internal Research;2018-05-24 00:00:00;70;Florian Roth;FILE,LINUX -SUSP_ELF_Tor_Client;Detects VPNFilter malware;Internal Research;2018-05-24 00:00:00;70;Florian Roth;FILE,LINUX +ZXshell_20171211_chrsben;Detects ZxShell variant surfaced in Dec 17;https://goo.gl/snc85M;2017-12-11 00:00:00;70;Florian Roth;EXE,FILE +CVE_2015_1701_Taihou;CVE-2015-1701 compiled exploit code;http://goo.gl/W4nU0q;2015-05-13 00:00:00;70;Florian Roth;EXE,EXPLOIT,FILE +FakeM_Generic;Detects FakeM malware samples;http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/;2016-01-25 00:00:00;85;Florian Roth;EXE,FILE +Apolmy_Privesc_Trojan;Apolmy Privilege Escalation Trojan used in APT Terracotta;https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/;2015-08-04 00:00:00;80;Florian Roth;MAL,EXE,APT,FILE +Mithozhan_Trojan;Mitozhan Trojan used in APT Terracotta;https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/;2015-08-04 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +RemoteExec_Tool;Remote Access Tool used in APT Terracotta;https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/;2015-08-04 00:00:00;70;Florian Roth;EXE,APT,FILE +LiuDoor_Malware_1;Liudoor Trojan used in Terracotta APT;https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/;2015-08-04 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +LiuDoor_Malware_2;Liudoor Trojan used in Terracotta APT;https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/;2015-08-04 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +IceFog_Malware_Feb18_1;Detects IceFog malware;https://twitter.com/ClearskySec/status/968104465818669057;2018-02-26 00:00:00;70;Florian Roth;MAL,EXE,FILE +SUSP_SFX_RunProgram_WScript;Detects suspicious SFX as used by Gamaredon group;Internal Research;2018-09-27 00:00:00;70;Florian Roth;EXE,FILE +Gen_Trojan_Mikey;Trojan Mikey - file sample_mikey.exe;-;2015-05-07 00:00:00;70;Florian Roth;MAL,EXE,FILE +WannaCry_Ransomware;Detects WannaCry Ransomware;https://goo.gl/HG2j5T;2017-05-12 00:00:00;70;Florian Roth (with the help of binar.ly);EXE,RANSOM,MAL,CRIME,FILE +WannaCry_Ransomware_Gen;Detects WannaCry Ransomware;https://www.us-cert.gov/ncas/alerts/TA17-132A;2017-05-12 00:00:00;70;Florian Roth (based on rule by US CERT);EXE,RANSOM,MAL,CRIME,FILE +WannCry_m_vbs;Detects WannaCry Ransomware VBS;https://goo.gl/HG2j5T;2017-05-12 00:00:00;70;Florian Roth;SCRIPT,RANSOM,MAL,CRIME,FILE +WannCry_BAT;Detects WannaCry Ransomware BATCH File;https://goo.gl/HG2j5T;2017-05-12 00:00:00;70;Florian Roth;MAL,RANSOM,CRIME,FILE +WannaCry_RansomNote;Detects WannaCry Ransomware Note;https://goo.gl/HG2j5T;2017-05-12 00:00:00;70;Florian Roth;MAL,RANSOM,CRIME,FILE +lazaruswannacry;Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta;https://twitter.com/neelmehta/status/864164081116225536;2017-05-15 00:00:00;70;Costin G. Raiu, Kaspersky Lab;MAL,NK,RANSOM,FILE +MAL_ELF_VPNFilter_1;Detects VPNFilter malware;Internal Research;2018-05-24 00:00:00;70;Florian Roth;LINUX,FILE +MAL_ELF_VPNFilter_2;Detects VPNFilter malware;Internal Research;2018-05-24 00:00:00;70;Florian Roth;LINUX,FILE +MAL_ELF_VPNFilter_3;Detects VPNFilter malware;Internal Research;2018-05-24 00:00:00;70;Florian Roth;LINUX,FILE +SUSP_ELF_Tor_Client;Detects VPNFilter malware;Internal Research;2018-05-24 00:00:00;70;Florian Roth;LINUX,FILE OPCLEAVER_BackDoorLogger;Keylogger used by attackers in Operation Cleaver;http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf;2014-12-02 00:00:00;70;Cylance Inc.;HKTL OPCLEAVER_Jasus;ARP cache poisoner used by attackers in Operation Cleaver;http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf;2014-12-02 00:00:00;70;Cylance Inc.; OPCLEAVER_LoggerModule;Keylogger used by attackers in Operation Cleaver;http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf;2014-12-02 00:00:00;70;Cylance Inc.;HKTL @@ -348,16 +348,16 @@ OPCLEAVER_Parviz_Developer;Parviz developer known from Operation Cleaver;http:// OPCLEAVER_CCProxy_Config;CCProxy config known from Operation Cleaver;http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf;2014-12-02 00:00:00;70;Florian Roth;HKTL Tofu_Backdoor;Detects Tofu Trojan;https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html;2017-02-28 00:00:00;70;Cylance;MAL CACTUSTORCH;Detects CactusTorch Hacktool;https://github.com/mdsecactivebreach/CACTUSTORCH;2017-07-31 00:00:00;70;Florian Roth;HKTL -No_PowerShell;Detects an C# executable used to circumvent PowerShell detection - file nps.exe;https://github.com/Ben0xA/nps;2016-05-21 00:00:00;80;Florian Roth;SCRIPT,FILE,EXE -PROMETHIUM_NEODYMIUM_Malware_1;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,FILE,EXE -PROMETHIUM_NEODYMIUM_Malware_2;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,FILE,EXE -PROMETHIUM_NEODYMIUM_Malware_3;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,FILE,EXE -PROMETHIUM_NEODYMIUM_Malware_4;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,FILE,EXE -PROMETHIUM_NEODYMIUM_Malware_5;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,FILE,EXE -PROMETHIUM_NEODYMIUM_Malware_6;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,FILE,EXE -RUAG_Tavdig_Malformed_Executable;Detects an embedded executable with a malformed header - known from Tavdig malware;https://goo.gl/N5MEj0;1970-01-01 01:00:00;60;Florian Roth;FILE,EXE +No_PowerShell;Detects an C# executable used to circumvent PowerShell detection - file nps.exe;https://github.com/Ben0xA/nps;2016-05-21 00:00:00;80;Florian Roth;EXE,SCRIPT,FILE +PROMETHIUM_NEODYMIUM_Malware_1;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,EXE,FILE +PROMETHIUM_NEODYMIUM_Malware_2;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,EXE,FILE +PROMETHIUM_NEODYMIUM_Malware_3;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,EXE,FILE +PROMETHIUM_NEODYMIUM_Malware_4;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,EXE,FILE +PROMETHIUM_NEODYMIUM_Malware_5;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,EXE,FILE +PROMETHIUM_NEODYMIUM_Malware_6;Detects PROMETHIUM and NEODYMIUM malware;https://goo.gl/8abDE6;2016-12-14 00:00:00;70;Florian Roth;MAL,EXE,FILE +RUAG_Tavdig_Malformed_Executable;Detects an embedded executable with a malformed header - known from Tavdig malware;https://goo.gl/N5MEj0;1970-01-01 01:00:00;60;Florian Roth;EXE,FILE RUAG_Bot_Config_File;Detects a specific config file used by malware in RUAG APT case;https://goo.gl/N5MEj0;1970-01-01 01:00:00;60;Florian Roth;APT -RUAG_Cobra_Malware;Detects a malware mentioned in the RUAG Case called Carbon/Cobra;https://goo.gl/N5MEj0;1970-01-01 01:00:00;60;Florian Roth;NK,FILE,EXE +RUAG_Cobra_Malware;Detects a malware mentioned in the RUAG Case called Carbon/Cobra;https://goo.gl/N5MEj0;1970-01-01 01:00:00;60;Florian Roth;EXE,NK,FILE RUAG_Cobra_Config_File;Detects a config text file used by malware Cobra in RUAG case;https://goo.gl/N5MEj0;1970-01-01 01:00:00;60;Florian Roth;NK RUAG_Exfil_Config_File;Detects a config text file used in data exfiltration in RUAG case;https://goo.gl/N5MEj0;1970-01-01 01:00:00;60;Florian Roth; hatman_compiled_python;Detects Hatman malware;https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware;2017-12-19 00:00:00;70;DHS/NCCIC/ICS-CERT;EXTVAR @@ -365,20 +365,20 @@ hatman_injector;Detects Hatman malware;https://ics-cert.us-cert.gov/MAR-17-352-0 hatman_payload;Detects Hatman malware;https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware;2017-12-19 00:00:00;70;DHS/NCCIC/ICS-CERT;EXTVAR hatman_combined;Detects Hatman malware;https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware;2017-12-19 00:00:00;70;DHS/NCCIC/ICS-CERT;EXTVAR hatman;Matches the known samples of the HatMan malware.;https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware;2017-12-19 00:00:00;70;DHS/NCCIC/ICS-CERT;EXTVAR -WildNeutron_Sample_1;Wild Neutron APT Sample Rule - file 2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;APT,FILE,EXE -WildNeutron_Sample_2;Wild Neutron APT Sample Rule - file 8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;APT,FILE,EXE -WildNeutron_Sample_3;Wild Neutron APT Sample Rule - file c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;APT,FILE,EXE -WildNeutron_Sample_4;Wild Neutron APT Sample Rule - file b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;APT,FILE,EXE -WildNeutron_Sample_5;Wild Neutron APT Sample Rule - file 1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;APT,FILE,EXE -WildNeutron_Sample_6;Wild Neutron APT Sample Rule - file 4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;APT,FILE,EXE -WildNeutron_Sample_7;Wild Neutron APT Sample Rule - file a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;APT,FILE,EXE -subTee_nativecmd;NativeCmd - used by various threat groups;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;40;Florian Roth;FILE,EXE -WildNeutron_Sample_9;Wild Neutron APT Sample Rule - file 781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;APT,FILE,EXE -WildNeutron_Sample_10;Wild Neutron APT Sample Rule - file 1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;APT,FILE,EXE -WildNeutron_javacpl;Wild Neutron APT Sample Rule;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;APT,FILE,EXE -Sofacy_Campaign_Mal_Feb18_cdnver;Detects Sofacy malware;https://twitter.com/ClearskySec/status/960924755355369472;2018-02-07 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -Sofacy_Trojan_Loader_Feb18_1;Sofacy Activity Feb 2018;https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100;2018-03-01 00:00:00;70;Florian Roth;RUSSIA,MAL,FILE,EXE -SysInternals_Tool_Anomaly;SysInternals Tool Anomaly - does not contain Mark Russinovich as author;Internal Research;2016-12-06 00:00:00;70;Florian Roth;FILE,EXE +WildNeutron_Sample_1;Wild Neutron APT Sample Rule - file 2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;EXE,APT,FILE +WildNeutron_Sample_2;Wild Neutron APT Sample Rule - file 8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;EXE,APT,FILE +WildNeutron_Sample_3;Wild Neutron APT Sample Rule - file c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;EXE,APT,FILE +WildNeutron_Sample_4;Wild Neutron APT Sample Rule - file b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;EXE,APT,FILE +WildNeutron_Sample_5;Wild Neutron APT Sample Rule - file 1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;EXE,APT,FILE +WildNeutron_Sample_6;Wild Neutron APT Sample Rule - file 4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;EXE,APT,FILE +WildNeutron_Sample_7;Wild Neutron APT Sample Rule - file a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;EXE,APT,FILE +subTee_nativecmd;NativeCmd - used by various threat groups;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;40;Florian Roth;EXE,FILE +WildNeutron_Sample_9;Wild Neutron APT Sample Rule - file 781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;EXE,APT,FILE +WildNeutron_Sample_10;Wild Neutron APT Sample Rule - file 1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;EXE,APT,FILE +WildNeutron_javacpl;Wild Neutron APT Sample Rule;https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/;2015-07-10 00:00:00;60;Florian Roth;EXE,APT,FILE +Sofacy_Campaign_Mal_Feb18_cdnver;Detects Sofacy malware;https://twitter.com/ClearskySec/status/960924755355369472;2018-02-07 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +Sofacy_Trojan_Loader_Feb18_1;Sofacy Activity Feb 2018;https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100;2018-03-01 00:00:00;70;Florian Roth;MAL,EXE,RUSSIA,FILE +SysInternals_Tool_Anomaly;SysInternals Tool Anomaly - does not contain Mark Russinovich as author;Internal Research;2016-12-06 00:00:00;70;Florian Roth;EXE,FILE WoolenGoldfish_Sample_1;Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ;http://goo.gl/NpJpVZ;2015-03-25 00:00:00;60;Florian Roth; WoolenGoldfish_Generic_1;Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ;http://goo.gl/NpJpVZ;2015-03-25 00:00:00;90;Florian Roth;GEN WoolenGoldfish_Generic_2;Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ;http://goo.gl/NpJpVZ;2015-03-25 00:00:00;90;Florian Roth;GEN @@ -386,10 +386,10 @@ WoolenGoldfish_Generic_3;Detects a operation Woolen-Goldfish sample - http://goo GetUserSPNs_VBS;Auto-generated rule - file GetUserSPNs.vbs;https://github.com/skelsec/PyKerberoast;2016-05-21 00:00:00;70;Florian Roth; GetUserSPNs_PS1;Auto-generated rule - file GetUserSPNs.ps1;https://github.com/skelsec/PyKerberoast;2016-05-21 00:00:00;70;Florian Roth; kerberoast_PY;Auto-generated rule - file kerberoast.py;https://github.com/skelsec/PyKerberoast;2016-05-21 00:00:00;70;Florian Roth; -Quasar_RAT_1;Detects Quasar RAT;https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf;2017-04-07 00:00:00;70;Florian Roth;MAL,FILE,EXE -Quasar_RAT_2;Detects Quasar RAT;https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf;2017-04-07 00:00:00;70;Florian Roth;MAL,FILE,EXE +Quasar_RAT_1;Detects Quasar RAT;https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf;2017-04-07 00:00:00;70;Florian Roth;MAL,EXE,FILE +Quasar_RAT_2;Detects Quasar RAT;https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf;2017-04-07 00:00:00;70;Florian Roth;MAL,EXE,FILE CrowdStrike_Shamoon_DroppedFile;Rule to detect Shamoon malware http://goo.gl/QTxohN;http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf;1970-01-01 01:00:00;70;-;MIDDLE_EAST -Scarcruft_malware_Feb18_1;Detects Scarcruft malware - February 2018;https://twitter.com/craiu/status/959477129795731458;2018-02-03 00:00:00;90;Florian rootpath;FILE,EXE +Scarcruft_malware_Feb18_1;Detects Scarcruft malware - February 2018;https://twitter.com/craiu/status/959477129795731458;2018-02-03 00:00:00;90;Florian rootpath;EXE,FILE dubseven_file_set;Searches for service files loading UP007;-;2016-04-18 00:00:00;75;Matt Brooks, @cmatthewbrooks;FILE dubseven_dropper_registry_checks;Searches for registry keys checked for by the dropper;-;2016-04-18 00:00:00;75;Matt Brooks, @cmatthewbrooks;FILE dubseven_dropper_dialog_remains;Searches for related dialog remnants. How rude.;-;2016-04-18 00:00:00;75;Matt Brooks, @cmatthewbrooks;FILE @@ -401,108 +401,109 @@ SLServer_campaign_code;Searches for the related campaign code.;-;2016-04-18 00:0 SLServer_unknown_string;Searches for a unique string.;-;2016-04-18 00:00:00;75;Matt Brooks, @cmatthewbrooks;FILE Embedded_EXE_Cloaking;Detects an embedded executable in a non-executable file;-;2015-02-27 00:00:00;65;Florian Roth;EXTVAR Cloaked_as_JPG;Detects a cloaked file as JPG;-;2015-02-28 00:00:00;40;Florian Roth (eval section from Didier Stevens);EXTVAR,FILE -Suspicious_Size_explorer_exe;Detects uncommon file size of explorer.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_chrome_exe;Detects uncommon file size of chrome.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_csrss_exe;Detects uncommon file size of csrss.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_iexplore_exe;Detects uncommon file size of iexplore.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_firefox_exe;Detects uncommon file size of firefox.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_java_exe;Detects uncommon file size of java.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_lsass_exe;Detects uncommon file size of lsass.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_svchost_exe;Detects uncommon file size of svchost.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_winlogon_exe;Detects uncommon file size of winlogon.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_igfxhk_exe;Detects uncommon file size of igfxhk.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_servicehost_dll;Detects uncommon file size of servicehost.dll;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_rundll32_exe;Detects uncommon file size of rundll32.exe;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_taskhost_exe;Detects uncommon file size of taskhost.exe;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_spoolsv_exe;Detects uncommon file size of spoolsv.exe;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_smss_exe;Detects uncommon file size of smss.exe;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_Size_wininit_exe;Detects uncommon file size of wininit.exe;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,FILE,EXE -Suspicious_AutoIt_by_Microsoft;Detects a AutoIt script with Microsoft identification;Internal Research - VT;2017-12-14 00:00:00;60;Florian Roth;FILE,EXE -SUSP_Size_of_ASUS_TuningTool;Detects an ASUS tuning tool with a suspicious size;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;60;Florian Roth;FILE,EXE +Suspicious_Size_explorer_exe;Detects uncommon file size of explorer.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_chrome_exe;Detects uncommon file size of chrome.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_csrss_exe;Detects uncommon file size of csrss.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_iexplore_exe;Detects uncommon file size of iexplore.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_firefox_exe;Detects uncommon file size of firefox.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_java_exe;Detects uncommon file size of java.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_lsass_exe;Detects uncommon file size of lsass.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_svchost_exe;Detects uncommon file size of svchost.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_winlogon_exe;Detects uncommon file size of winlogon.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_igfxhk_exe;Detects uncommon file size of igfxhk.exe;-;2015-12-21 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_servicehost_dll;Detects uncommon file size of servicehost.dll;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_rundll32_exe;Detects uncommon file size of rundll32.exe;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_taskhost_exe;Detects uncommon file size of taskhost.exe;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_spoolsv_exe;Detects uncommon file size of spoolsv.exe;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_smss_exe;Detects uncommon file size of smss.exe;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_Size_wininit_exe;Detects uncommon file size of wininit.exe;-;2015-12-23 00:00:00;60;Florian Roth;EXTVAR,EXE,FILE +Suspicious_AutoIt_by_Microsoft;Detects a AutoIt script with Microsoft identification;Internal Research - VT;2017-12-14 00:00:00;60;Florian Roth;EXE,FILE +SUSP_Size_of_ASUS_TuningTool;Detects an ASUS tuning tool with a suspicious size;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;60;Florian Roth;EXE,FILE SUSP_PiratedOffice_2007;Detects an Office document that was created with a pirated version of MS Office 2007;https://twitter.com/pwnallthethings/status/743230570440826886?lang=en;2018-12-04 00:00:00;40;Florian Roth;OFFICE,FILE SUSP_Scheduled_Task_BigSize;Detects suspiciously big scheduled task XML file as seen in combination with embedded base64 encoded PowerShell code;Internal Research;2018-12-06 00:00:00;70;Florian Roth;SCRIPT,FILE -SUSP_Putty_Unnormal_Size;Detects a putty version with a size different than the one provided by Simon Tatham (could be caused by an additional signature or malware);Internal Research;2019-01-07 00:00:00;50;Florian Roth;FILE,EXE +SUSP_Putty_Unnormal_Size;Detects a putty version with a size different than the one provided by Simon Tatham (could be caused by an additional signature or malware);Internal Research;2019-01-07 00:00:00;50;Florian Roth;EXE,FILE SUSP_RTF_Header_Anomaly;Detects malformed RTF header often used to trick mechanisms that check for a full RTF header;https://twitter.com/ItsReallyNick/status/975705759618158593;2019-01-20 00:00:00;70;Florian Roth;FILE -CHAOS_Payload;Detects a CHAOS back connect payload;https://github.com/tiagorlampert/CHAOS;2017-07-15 00:00:00;80;Florian Roth;FILE,EXE +CHAOS_Payload;Detects a CHAOS back connect payload;https://github.com/tiagorlampert/CHAOS;2017-07-15 00:00:00;80;Florian Roth;EXE,FILE Groups_cpassword;Groups XML contains cpassword value, which is decrypted password - key is in MSDN http://goo.gl/mHrC8P;http://www.grouppolicy.biz/2013/11/why-passwords-in-group-policy-preference-are-very-bad/;2015-09-08 00:00:00;50;Florian Roth;FILE -BlackEnergy_BE_2;Detects BlackEnergy 2 Malware;http://goo.gl/DThzLz;2015-02-19 00:00:00;70;Florian Roth;MAL,FILE,EXE +BlackEnergy_BE_2;Detects BlackEnergy 2 Malware;http://goo.gl/DThzLz;2015-02-19 00:00:00;70;Florian Roth;MAL,EXE,FILE BlackEnergy_VBS_Agent;Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs;http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/;2016-01-03 00:00:00;70;Florian Roth;SCRIPT -DropBear_SSH_Server;Detects DropBear SSH Server (not a threat but used to maintain access);http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/;2016-01-03 00:00:00;50;Florian Roth;RUSSIA,FILE,EXE -BlackEnergy_BackdoorPass_DropBear_SSH;Detects the password of the backdoored DropBear SSH Server - BlackEnergy;http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/;2016-01-03 00:00:00;70;Florian Roth;RUSSIA,MAL,FILE,EXE -BlackEnergy_KillDisk_1;Detects KillDisk malware from BlackEnergy;http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/;2016-01-03 00:00:00;80;Florian Roth;FILE,EXE -BlackEnergy_KillDisk_2;Detects KillDisk malware from BlackEnergy;http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/;2016-01-03 00:00:00;80;Florian Roth;FILE,EXE -BlackEnergy_Driver_USBMDM;Black Energy Driver;http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/;2016-01-04 00:00:00;70;Florian Roth;FILE,EXE -BlackEnergy_Driver_AMDIDE;Black Energy Malware;http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/;2016-01-04 00:00:00;70;Florian Roth;MAL,FILE,EXE -HawkEye_Keylogger_Feb18_1;Detects HawkEye keylogger variante observed in February 2018;https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9;2018-02-12 00:00:00;70;Florian Roth;HKTL,FILE,EXE -MAL_HawkEye_Keylogger_Gen_Dec18;Detects HawkEye Keylogger Reborn;https://twitter.com/James_inthe_box/status/1072116224652324870;2018-12-10 00:00:00;70;Florian Roth;HKTL,GEN -apt_sofacy_xtunnel;Sofacy Malware - German Bundestag;-;1970-01-01 01:00:00;75;Claudio Guarnieri;MAL,FILE,RUSSIA -Winexe_RemoteExecution;Winexe tool used by Sofacy group several APT cases;http://dokumente.linksfraktion.de/inhalt/report-orig.pdf;2015-06-19 00:00:00;70;Florian Roth;RUSSIA,APT,FILE,EXE -Sofacy_Mal2;Sofacy Group Malware Sample 2;http://dokumente.linksfraktion.de/inhalt/report-orig.pdf;2015-06-19 00:00:00;70;Florian Roth;RUSSIA,MAL,FILE,EXE -Sofacy_Mal3;Sofacy Group Malware Sample 3;http://dokumente.linksfraktion.de/inhalt/report-orig.pdf;2015-06-19 00:00:00;70;Florian Roth;RUSSIA,MAL,FILE,EXE -Sofacy_Bundestag_Batch;Sofacy Bundestags APT Batch Script;http://dokumente.linksfraktion.de/inhalt/report-orig.pdf;2015-06-19 00:00:00;70;Florian Roth;RUSSIA,APT -Exp_EPS_CVE20152545;Detects EPS Word Exploit CVE-2015-2545;Internal Research - ME;2017-07-19 00:00:00;70;Florian Roth;OFFICE,FILE,EXPLOIT +DropBear_SSH_Server;Detects DropBear SSH Server (not a threat but used to maintain access);http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/;2016-01-03 00:00:00;50;Florian Roth;EXE,RUSSIA,FILE +BlackEnergy_BackdoorPass_DropBear_SSH;Detects the password of the backdoored DropBear SSH Server - BlackEnergy;http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/;2016-01-03 00:00:00;70;Florian Roth;MAL,EXE,RUSSIA,FILE +BlackEnergy_KillDisk_1;Detects KillDisk malware from BlackEnergy;http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/;2016-01-03 00:00:00;80;Florian Roth;EXE,FILE +BlackEnergy_KillDisk_2;Detects KillDisk malware from BlackEnergy;http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/;2016-01-03 00:00:00;80;Florian Roth;EXE,FILE +BlackEnergy_Driver_USBMDM;Black Energy Driver;http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/;2016-01-04 00:00:00;70;Florian Roth;EXE,FILE +BlackEnergy_Driver_AMDIDE;Black Energy Malware;http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/;2016-01-04 00:00:00;70;Florian Roth;MAL,EXE,FILE +HawkEye_Keylogger_Feb18_1;Detects HawkEye keylogger variante observed in February 2018;https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9;2018-02-12 00:00:00;70;Florian Roth;EXE,HKTL,FILE +MAL_HawkEye_Keylogger_Gen_Dec18;Detects HawkEye Keylogger Reborn;https://twitter.com/James_inthe_box/status/1072116224652324870;2018-12-10 00:00:00;70;Florian Roth;GEN,HKTL +apt_sofacy_xtunnel;Sofacy Malware - German Bundestag;-;1970-01-01 01:00:00;75;Claudio Guarnieri;MAL,RUSSIA,FILE +Winexe_RemoteExecution;Winexe tool used by Sofacy group several APT cases;http://dokumente.linksfraktion.de/inhalt/report-orig.pdf;2015-06-19 00:00:00;70;Florian Roth;EXE,APT,RUSSIA,FILE +Sofacy_Mal2;Sofacy Group Malware Sample 2;http://dokumente.linksfraktion.de/inhalt/report-orig.pdf;2015-06-19 00:00:00;70;Florian Roth;MAL,EXE,RUSSIA,FILE +Sofacy_Mal3;Sofacy Group Malware Sample 3;http://dokumente.linksfraktion.de/inhalt/report-orig.pdf;2015-06-19 00:00:00;70;Florian Roth;MAL,EXE,RUSSIA,FILE +Sofacy_Bundestag_Batch;Sofacy Bundestags APT Batch Script;http://dokumente.linksfraktion.de/inhalt/report-orig.pdf;2015-06-19 00:00:00;70;Florian Roth;APT,RUSSIA +Exp_EPS_CVE20152545;Detects EPS Word Exploit CVE-2015-2545;Internal Research - ME;2017-07-19 00:00:00;70;Florian Roth;EXPLOIT,OFFICE,FILE HoneyBee_Dropper_MalDoc;Detects samples from Operation Honeybee;https://goo.gl/JAHZVL;2018-03-03 00:00:00;70;Florian Roth;MAL,FILE -OpHoneybee_Malware_1;Detects malware from Operation Honeybee;https://goo.gl/JAHZVL;2018-03-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -OpHoneybee_MaoCheng_Dropper;Detects MaoCheng dropper from Operation Honeybee;https://goo.gl/JAHZVL;2018-03-03 00:00:00;70;Florian Roth;FILE,EXE -APT_Malware_CommentCrew_MiniASP;CommentCrew Malware MiniASP APT;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE +OpHoneybee_Malware_1;Detects malware from Operation Honeybee;https://goo.gl/JAHZVL;2018-03-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +OpHoneybee_MaoCheng_Dropper;Detects MaoCheng dropper from Operation Honeybee;https://goo.gl/JAHZVL;2018-03-03 00:00:00;70;Florian Roth;EXE,FILE +APT_Malware_CommentCrew_MiniASP;CommentCrew Malware MiniASP APT;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE APT_Project_Sauron_Scripts;Detects scripts (mostly LUA) from Project Sauron report by Kaspersky;https://goo.gl/eFoP4A;2016-08-08 00:00:00;70;Florian Roth; APT_Project_Sauron_arping_module;Detects strings from arping module - Project Sauron report by Kaspersky;https://goo.gl/eFoP4A;2016-08-08 00:00:00;70;Florian Roth; APT_Project_Sauron_kblogi_module;Detects strings from kblogi module - Project Sauron report by Kaspersky;https://goo.gl/eFoP4A;2016-08-08 00:00:00;70;Florian Roth; APT_Project_Sauron_basex_module;Detects strings from basex module - Project Sauron report by Kaspersky;https://goo.gl/eFoP4A;2016-08-08 00:00:00;70;Florian Roth; APT_Project_Sauron_dext_module;Detects strings from dext module - Project Sauron report by Kaspersky;https://goo.gl/eFoP4A;2016-08-08 00:00:00;70;Florian Roth; -Hacktool_This_Cruft;Detects string 'This cruft' often used in hack tools like netcat or cryptcat and also mentioned in Project Sauron report;https://goo.gl/eFoP4A;2016-08-08 00:00:00;60;Florian Roth;FILE,EXE -APT_Project_Sauron_Custom_M1;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;APT,FILE,EXE -APT_Project_Sauron_Custom_M2;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;APT,FILE,EXE -APT_Project_Sauron_Custom_M3;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;APT,FILE,EXE -APT_Project_Sauron_Custom_M4;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;APT,FILE,EXE -APT_Project_Sauron_Custom_M6;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;APT,FILE,EXE -APT_Project_Sauron_Custom_M7;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;APT,FILE,EXE -EXE_cloaked_as_TXT;Executable with TXT extension;-;1970-01-01 01:00:00;70;Florian Roth;EXTVAR,FILE,EXE +Hacktool_This_Cruft;Detects string 'This cruft' often used in hack tools like netcat or cryptcat and also mentioned in Project Sauron report;https://goo.gl/eFoP4A;2016-08-08 00:00:00;60;Florian Roth;EXE,FILE +APT_Project_Sauron_Custom_M1;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;EXE,APT,FILE +APT_Project_Sauron_Custom_M2;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;EXE,APT,FILE +APT_Project_Sauron_Custom_M3;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;EXE,APT,FILE +APT_Project_Sauron_Custom_M4;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;EXE,APT,FILE +APT_Project_Sauron_Custom_M6;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;EXE,APT,FILE +APT_Project_Sauron_Custom_M7;Detects malware from Project Sauron APT;https://goo.gl/eFoP4A;2016-08-09 00:00:00;70;Florian Roth;EXE,APT,FILE +EXP_Libre_Office_CVE_2018_16858;RCE in Libre Office with crafted ODT file (CVE-2018-16858);https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html;2019-02-01 00:00:00;70;John Lambert @JohnLaTwC / modified by Florian Roth;EXPLOIT,OFFICE,FILE +EXE_cloaked_as_TXT;Executable with TXT extension;-;1970-01-01 01:00:00;70;Florian Roth;EXTVAR,EXE,FILE EXE_extension_cloaking;Executable showing different extension (Windows default 'hide known extension');-;1970-01-01 01:00:00;70;Florian Roth;EXTVAR Cloaked_RAR_File;RAR file cloaked by a different extension;-;1970-01-01 01:00:00;70;Florian Roth;EXTVAR,FILE -Base64_encoded_Executable;Detects an base64 encoded executable (often embedded);-;2015-05-28 00:00:00;40;Florian Roth;EXTVAR,FILE,EXE -Gen_Base64_EXE;Detects Base64 encoded Executable in Executable;Internal Research;2017-04-21 00:00:00;70;Florian Roth;FILE,EXE +Base64_encoded_Executable;Detects an base64 encoded executable (often embedded);-;2015-05-28 00:00:00;40;Florian Roth;EXTVAR,EXE,FILE +Gen_Base64_EXE;Detects Base64 encoded Executable in Executable;Internal Research;2017-04-21 00:00:00;70;Florian Roth;EXE,FILE Binary_Drop_Certutil;Drop binary as base64 encoded cert trick;https://goo.gl/9DNn8q;2015-07-15 00:00:00;70;Florian Roth; StegoKatz;Encoded Mimikatz in other file types;https://goo.gl/jWPBBY;2015-09-11 00:00:00;70;Florian Roth; -Obfuscated_VBS_April17;Detects cloaked Mimikatz in VBS obfuscation;Internal Research;2017-04-21 00:00:00;70;Florian Roth;SCRIPT,OBFUS +Obfuscated_VBS_April17;Detects cloaked Mimikatz in VBS obfuscation;Internal Research;2017-04-21 00:00:00;70;Florian Roth;OBFUS,SCRIPT Obfuscated_JS_April17;Detects cloaked Mimikatz in JS obfuscation;Internal Research;2017-04-21 00:00:00;70;Florian Roth;OBFUS URL_File_Local_EXE;Detects an .url file that points to a local executable;https://twitter.com/malwareforme/status/915300883012870144;2017-10-04 00:00:00;60;Florian Roth; -OpCloudHopper_Malware_1;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -OpCloudHopper_Malware_2;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -OpCloudHopper_Malware_3;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE +OpCloudHopper_Malware_1;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +OpCloudHopper_Malware_2;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +OpCloudHopper_Malware_3;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE OpCloudHopper_Dropper_1;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE -OpCloudHopper_Malware_4;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -OpCloudHopper_Malware_5;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -OpCloudHopper_Malware_6;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -OpCloudHopper_Malware_7;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -OpCloudHopper_Malware_8;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -OpCloudHopper_Malware_9;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -OpCloudHopper_Malware_10;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -OpCloudHopper_Malware_11;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -OpCloudHopper_lockdown;Tools related to Operation Cloud Hopper;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -OpCloudHopper_WindowXarBot;Malware related to Operation Cloud Hopper;https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf;2017-04-07 00:00:00;70;Florian Roth;MAL,FILE,EXE +OpCloudHopper_Malware_4;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +OpCloudHopper_Malware_5;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +OpCloudHopper_Malware_6;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +OpCloudHopper_Malware_7;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +OpCloudHopper_Malware_8;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +OpCloudHopper_Malware_9;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +OpCloudHopper_Malware_10;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +OpCloudHopper_Malware_11;Detects malware from Operation Cloud Hopper;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +OpCloudHopper_lockdown;Tools related to Operation Cloud Hopper;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +OpCloudHopper_WindowXarBot;Malware related to Operation Cloud Hopper;https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf;2017-04-07 00:00:00;70;Florian Roth;MAL,EXE,FILE OpCloudHopper_WmiDLL_inMemory;Malware related to Operation Cloud Hopper - Page 25;https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf;2017-04-07 00:00:00;70;Florian Roth;MAL VBS_WMIExec_Tool_Apr17_1;Tools related to Operation Cloud Hopper;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth; MuddyWater_Mal_Doc_Feb18_1;Detects malicious document used by MuddyWater;Internal Research - TI2T;2018-02-26 00:00:00;70;Florian Roth;MIDDLE_EAST,FILE MuddyWater_Mal_Doc_Feb18_2;Detects malicious document used by MuddyWater;Internal Research - TI2T;2018-02-26 00:00:00;70;Florian Roth;MIDDLE_EAST,FILE MAL_MuddyWater_DroppedTask_Jun18_1;Detects a dropped Windows task as used by MudyWater in June 2018;https://app.any.run/tasks/719c94eb-0a00-47cc-b583-ad4f9e25ebdb;2018-06-12 00:00:00;70;Florian Roth;FILE APT10_Malware_Sample_Gen;APT 10 / Cloud Hopper malware campaign;https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html;2017-04-06 00:00:00;80;Florian Roth;MAL,APT -APT_APT10_Malware_Imphash_Dec18_1;Detects APT10 malware based on ImpHashes;AlienVault OTX IOCs - statistical sample analysis;2018-12-28 00:00:00;70;Florian Roth;APT,EXE,CHINA,FILE,MAL -apt_duqu2_loaders;Rule to detect Duqu 2.0 samples;-;1970-01-01 01:00:00;70;-;FILE,EXE +APT_APT10_Malware_Imphash_Dec18_1;Detects APT10 malware based on ImpHashes;AlienVault OTX IOCs - statistical sample analysis;2018-12-28 00:00:00;70;Florian Roth;EXE,CHINA,MAL,APT,FILE +apt_duqu2_loaders;Rule to detect Duqu 2.0 samples;-;1970-01-01 01:00:00;70;-;EXE,FILE apt_duqu2_drivers;Rule to detect Duqu 2.0 drivers;-;1970-01-01 01:00:00;70;-;FILE -Duqu2_Generic1;Kaspersky APT Report - Duqu2 Sample - Generic Rule;https://goo.gl/7yKyOj;2015-06-10 00:00:00;70;Florian Roth;GEN,APT,FILE,EXE -APT_Kaspersky_Duqu2_procexp;Kaspersky APT Report - Duqu2 Sample - Malicious MSI;https://goo.gl/7yKyOj;2015-06-10 00:00:00;70;Florian Roth;APT,FILE,EXE -APT_Kaspersky_Duqu2_SamsungPrint;Kaspersky APT Report - Duqu2 Sample - file 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69;https://goo.gl/7yKyOj;2015-06-10 00:00:00;70;Florian Roth;APT,FILE,EXE -APT_Kaspersky_Duqu2_msi3_32;Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3;https://goo.gl/7yKyOj;2015-06-10 00:00:00;70;Florian Roth;APT,FILE,EXE -Zeus_Panda;Detects ZEUS Panda Malware;https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf;2017-08-04 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE +Duqu2_Generic1;Kaspersky APT Report - Duqu2 Sample - Generic Rule;https://goo.gl/7yKyOj;2015-06-10 00:00:00;70;Florian Roth;GEN,EXE,APT,FILE +APT_Kaspersky_Duqu2_procexp;Kaspersky APT Report - Duqu2 Sample - Malicious MSI;https://goo.gl/7yKyOj;2015-06-10 00:00:00;70;Florian Roth;EXE,APT,FILE +APT_Kaspersky_Duqu2_SamsungPrint;Kaspersky APT Report - Duqu2 Sample - file 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69;https://goo.gl/7yKyOj;2015-06-10 00:00:00;70;Florian Roth;EXE,APT,FILE +APT_Kaspersky_Duqu2_msi3_32;Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3;https://goo.gl/7yKyOj;2015-06-10 00:00:00;70;Florian Roth;EXE,APT,FILE +Zeus_Panda;Detects ZEUS Panda Malware;https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf;2017-08-04 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE apt_win32_dll_rat_1a53b0cp32e46g0qio7;Detects Inocnation Malware;https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf;1970-01-01 01:00:00;75;Fidelis Cybersecurity;MAL,FILE Lazarus_Dec_17_1;Detects Lazarus malware from incident in Dec 2017;https://goo.gl/8U6fY2;2017-12-20 00:00:00;70;Florian Roth;NK,FILE -Lazarus_Dec_17_2;Detects Lazarus malware from incident in Dec 2017;https://goo.gl/8U6fY2;2017-12-20 00:00:00;70;Florian Roth;NK,FILE,EXE +Lazarus_Dec_17_2;Detects Lazarus malware from incident in Dec 2017;https://goo.gl/8U6fY2;2017-12-20 00:00:00;70;Florian Roth;EXE,NK,FILE Lazarus_Dec_17_4;Detects Lazarus malware from incident in Dec 2017ithumb.js;https://goo.gl/8U6fY2;2017-12-20 00:00:00;70;Florian Roth;NK Lazarus_Dec_17_5;Detects Lazarus malware from incident in Dec 2017;https://goo.gl/8U6fY2;2017-12-20 00:00:00;70;Florian Roth;NK git_CVE_2017_9800_poc;Detects a CVE-2017-9800 exploitation attempt;https://twitter.com/mzbat/status/895811803325898753;2017-08-11 00:00:00;60;Florian Roth;EXPLOIT -PowerShell_ISESteroids_Obfuscation;Detects PowerShell ISESteroids obfuscation;https://twitter.com/danielhbohannon/status/877953970437844993;2017-06-23 00:00:00;70;Florian Roth;SCRIPT,OBFUS -SUSP_Obfuscted_PowerShell_Code;Detects obfuscated PowerShell Code;https://twitter.com/silv0123/status/1073072691584880640;2018-12-13 00:00:00;70;Florian Roth;SCRIPT,OBFUS +PowerShell_ISESteroids_Obfuscation;Detects PowerShell ISESteroids obfuscation;https://twitter.com/danielhbohannon/status/877953970437844993;2017-06-23 00:00:00;70;Florian Roth;OBFUS,SCRIPT +SUSP_Obfuscted_PowerShell_Code;Detects obfuscated PowerShell Code;https://twitter.com/silv0123/status/1073072691584880640;2018-12-13 00:00:00;70;Florian Roth;OBFUS,SCRIPT Invoke_mimikittenz;Detects Mimikittenz - file Invoke-mimikittenz.ps1;https://github.com/putterpanda/mimikittenz;2016-07-19 00:00:00;90;Florian Roth;FILE Empire_Invoke_BypassUAC;Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1;https://github.com/PowerShellEmpire/Empire;2015-08-06 00:00:00;70;Florian Roth;SCRIPT Empire_lib_modules_trollsploit_message;Empire - a pure PowerShell post-exploitation agent - file message.py;https://github.com/PowerShellEmpire/Empire;2015-08-06 00:00:00;70;Florian Roth;SCRIPT @@ -514,70 +515,70 @@ Empire_lib_modules_credentials_mimikatz_pth;Empire - a pure PowerShell post-expl Empire_Write_HijackDll;Empire - a pure PowerShell post-exploitation agent - file Write-HijackDll.ps1;https://github.com/PowerShellEmpire/Empire;2015-08-06 00:00:00;70;Florian Roth;SCRIPT Empire_skeleton_key;Empire - a pure PowerShell post-exploitation agent - file skeleton_key.py;https://github.com/PowerShellEmpire/Empire;2015-08-06 00:00:00;70;Florian Roth;SCRIPT Empire_invoke_wmi;Empire - a pure PowerShell post-exploitation agent - file invoke_wmi.py;https://github.com/PowerShellEmpire/Empire;2015-08-06 00:00:00;70;Florian Roth;SCRIPT -Hermes2_1;Detects Hermes Ransomware as used in BAE report on FEIB;https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html;2017-10-11 00:00:00;70;BAE;RANSOM,MAL,CRIME -PlugX_J16_Gen;Detects PlugX Malware samples from June 2016;VT Research;2016-06-08 00:00:00;70;Florian Roth;MAL,FILE,EXE -PlugX_J16_Gen2;Detects PlugX Malware Samples from June 2016;VT Research;2016-06-08 00:00:00;70;Florian Roth;MAL,FILE,EXE +Hermes2_1;Detects Hermes Ransomware as used in BAE report on FEIB;https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html;2017-10-11 00:00:00;70;BAE;MAL,RANSOM,CRIME +PlugX_J16_Gen;Detects PlugX Malware samples from June 2016;VT Research;2016-06-08 00:00:00;70;Florian Roth;MAL,EXE,FILE +PlugX_J16_Gen2;Detects PlugX Malware Samples from June 2016;VT Research;2016-06-08 00:00:00;70;Florian Roth;MAL,EXE,FILE crime_win_rat_AlienSpy;Alien Spy Remote Access Trojan;-;2015-04-04 00:00:00;70;General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team;MAL,FILE -ROKRAT_Malware;Detects ROKRAT Malware;http://blog.talosintelligence.com/2017/04/introducing-rokrat.html;2017-04-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -ROKRAT_Dropper_Nov17;Detects dropper for ROKRAT malware;http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html;2017-11-28 00:00:00;70;Florian Roth;MAL,FILE,EXE -Freeenki_Infostealer_Nov17;Detects Freenki infostealer malware;http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html;2017-11-28 00:00:00;70;Florian Roth;FILE,EXE -Freeenki_Infostealer_Nov17_Export_Sig_Testing;Detects Freenki infostealer malware;http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html;2017-11-28 00:00:00;70;Florian Roth;FILE,EXE -ROKRAT_Nov17_1;Detects ROKRAT malware;Internal Research;2017-11-28 00:00:00;70;Florian Roth;MAL,FILE,EXE -MiniRAT_Gen_1;Detects Mini RAT malware;https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news;2018-01-22 00:00:00;70;Florian Roth;GEN,MAL,FILE,EXE +ROKRAT_Malware;Detects ROKRAT Malware;http://blog.talosintelligence.com/2017/04/introducing-rokrat.html;2017-04-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +ROKRAT_Dropper_Nov17;Detects dropper for ROKRAT malware;http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html;2017-11-28 00:00:00;70;Florian Roth;MAL,EXE,FILE +Freeenki_Infostealer_Nov17;Detects Freenki infostealer malware;http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html;2017-11-28 00:00:00;70;Florian Roth;EXE,FILE +Freeenki_Infostealer_Nov17_Export_Sig_Testing;Detects Freenki infostealer malware;http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html;2017-11-28 00:00:00;70;Florian Roth;EXE,FILE +ROKRAT_Nov17_1;Detects ROKRAT malware;Internal Research;2017-11-28 00:00:00;70;Florian Roth;MAL,EXE,FILE +MiniRAT_Gen_1;Detects Mini RAT malware;https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news;2018-01-22 00:00:00;70;Florian Roth;MAL,EXE,GEN,FILE BluenoroffPoS_DLL;Bluenoroff POS malware - hkp.dll;http://blog.trex.re.kr/3?category=737685;2018-06-07 00:00:00;70;http://blog.trex.re.kr/; Fidelis_Advisory_Purchase_Order_pps;Detects a string found in a malicious document named Purchase_Order.pps;http://goo.gl/ZjJyti;2015-06-09 00:00:00;70;Florian Roth; Fidelis_Advisory_cedt370;Detects a string found in memory of malware cedt370r(3).exe;http://goo.gl/ZjJyti;2015-06-09 00:00:00;70;Florian Roth; -redSails_EXE;Detects Red Sails Hacktool by WinDivert references;https://github.com/BeetleChunks/redsails;2017-10-02 00:00:00;70;Florian Roth;HKTL,FILE,EXE -redSails_PY;Detects Red Sails Hacktool - Python;https://github.com/BeetleChunks/redsails;2017-10-02 00:00:00;70;Florian Roth;HKTL,SCRIPT -PUP_InstallRex_AntiFWb;Malware InstallRex / AntiFW;-;2015-05-13 00:00:00;55;Florian Roth;MAL,FILE,EXE +redSails_EXE;Detects Red Sails Hacktool by WinDivert references;https://github.com/BeetleChunks/redsails;2017-10-02 00:00:00;70;Florian Roth;EXE,HKTL,FILE +redSails_PY;Detects Red Sails Hacktool - Python;https://github.com/BeetleChunks/redsails;2017-10-02 00:00:00;70;Florian Roth;SCRIPT,HKTL +PUP_InstallRex_AntiFWb;Malware InstallRex / AntiFW;-;2015-05-13 00:00:00;55;Florian Roth;MAL,EXE,FILE QuarksPwDump_Gen;Detects all QuarksPWDump versions;-;2015-09-29 00:00:00;80;Florian Roth;HKTL Invoke_SMBExec;Detects Invoke-WmiExec or Invoke-SmbExec;https://github.com/Kevin-Robertson/Invoke-TheHash;2017-06-14 00:00:00;70;Florian Roth; Invoke_WMIExec_Gen_1;Detects Invoke-WmiExec or Invoke-SmbExec;https://github.com/Kevin-Robertson/Invoke-TheHash;2017-06-14 00:00:00;70;Florian Roth;GEN Invoke_SMBExec_Invoke_WMIExec_1;Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1;https://github.com/Kevin-Robertson/Invoke-TheHash;2017-06-14 00:00:00;70;Florian Roth; Invoke_WMIExec_Gen;Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1;https://github.com/Kevin-Robertson/Invoke-TheHash;2017-06-14 00:00:00;70;Florian Roth; -Reaver3_Malware_Nov17_1;Detects Reaver malware mentioned in PaloAltoNetworks report;https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/;2017-11-11 00:00:00;70;Florian Roth;MAL,FILE,EXE -Reaver3_Malware_Nov17_2;Detects Reaver malware mentioned in PaloAltoNetworks report;https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/;2017-11-11 00:00:00;70;Florian Roth;MAL,FILE,EXE -Reaver3_Malware_Nov17_3;Detects Reaver malware mentioned in PaloAltoNetworks report;https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/;2017-11-11 00:00:00;70;Florian Roth;MAL,FILE,EXE -SunOrcal_Malware_Nov17_1;Detects Reaver malware mentioned in PaloAltoNetworks report;https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/;2017-11-11 00:00:00;70;Florian Roth;MAL,FILE,EXE -Saudi_Phish_Trojan;Detects a trojan used in Saudi Aramco Phishing;https://goo.gl/Z3JUAA;2017-10-12 00:00:00;70;Florian Roth;FILE,EXE -GhostDragon_Gh0stRAT;Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report;https://blog.cylance.com/the-ghost-dragon;2016-04-23 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -GhostDragon_Gh0stRAT_Sample2;Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report;https://blog.cylance.com/the-ghost-dragon;2016-04-23 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -GhostDragon_Gh0stRAT_Sample3;Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report;https://blog.cylance.com/the-ghost-dragon;2016-04-23 00:00:00;70;Florian Roth;CHINA,MAL -Backdoor_Naikon_APT_Sample1;Detects backdoors related to the Naikon APT;https://goo.gl/7vHyvh;2015-05-14 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE +Reaver3_Malware_Nov17_1;Detects Reaver malware mentioned in PaloAltoNetworks report;https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/;2017-11-11 00:00:00;70;Florian Roth;MAL,EXE,FILE +Reaver3_Malware_Nov17_2;Detects Reaver malware mentioned in PaloAltoNetworks report;https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/;2017-11-11 00:00:00;70;Florian Roth;MAL,EXE,FILE +Reaver3_Malware_Nov17_3;Detects Reaver malware mentioned in PaloAltoNetworks report;https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/;2017-11-11 00:00:00;70;Florian Roth;MAL,EXE,FILE +SunOrcal_Malware_Nov17_1;Detects Reaver malware mentioned in PaloAltoNetworks report;https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/;2017-11-11 00:00:00;70;Florian Roth;MAL,EXE,FILE +Saudi_Phish_Trojan;Detects a trojan used in Saudi Aramco Phishing;https://goo.gl/Z3JUAA;2017-10-12 00:00:00;70;Florian Roth;EXE,FILE +GhostDragon_Gh0stRAT;Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report;https://blog.cylance.com/the-ghost-dragon;2016-04-23 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +GhostDragon_Gh0stRAT_Sample2;Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report;https://blog.cylance.com/the-ghost-dragon;2016-04-23 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +GhostDragon_Gh0stRAT_Sample3;Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report;https://blog.cylance.com/the-ghost-dragon;2016-04-23 00:00:00;70;Florian Roth;MAL,CHINA +Backdoor_Naikon_APT_Sample1;Detects backdoors related to the Naikon APT;https://goo.gl/7vHyvh;2015-05-14 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE Dridex_Trojan_XML;Dridex Malware in XML Document;https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503;2015-03-08 00:00:00;70;Florian Roth @4nc4p;MAL LNK_Malicious_Nov1;Detects a suspicious LNK file;https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/;2017-11-06 00:00:00;60;Florian Roth;FILE -ShadowPad_nssock2;Detects malicious nssock2.dll from ShadowPad incident - file nssock2.dll;https://securelist.com/shadowpad-in-corporate-networks/81432/;2017-08-15 00:00:00;70;Florian Roth;FILE,EXE -FIN7_Dropper_Aug17;Detects Word Dropper from Proofpoint FIN7 Report;https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor;2017-08-04 00:00:00;70;Florian Roth;OFFICE,MAL,FILE,RUSSIA -FIN7_Backdoor_Aug17;Detects Word Dropper from Proofpoint FIN7 Report;https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor;2017-08-04 00:00:00;70;Florian Roth;OFFICE,EXE,FILE,RUSSIA,MAL -APT6_Malware_Sample_Gen;Rule written for 2 malware samples that communicated to APT6 C2 servers;https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/;2016-04-09 00:00:00;80;Florian Roth;APT,MAL,FILE,EXE -Shamoon2_Wiper;Detects Shamoon 2.0 Wiper Component;https://goo.gl/jKIfGB;2016-12-01 00:00:00;70;Florian Roth;MIDDLE_EAST,FILE,EXE -Shamoon2_ComComp;Detects Shamoon 2.0 Communication Components;https://goo.gl/jKIfGB;2016-12-01 00:00:00;70;Florian Roth (with Binar.ly);MIDDLE_EAST,FILE,EXE -EldoS_RawDisk;EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0);https://goo.gl/jKIfGB;2016-12-01 00:00:00;50;Florian Roth (with Binar.ly);MIDDLE_EAST,FILE,EXE -Shamoon_Disttrack_Dropper;Detects Shamoon 2.0 Disttrack Dropper;https://goo.gl/jKIfGB;2016-12-01 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE,EXE -CredentialStealer_Generic_Backdoor;Detects credential stealer byed on many strings that indicate password store access;Internal Research;2017-06-07 00:00:00;70;Florian Roth;GEN,FILE,EXE -Typical_Malware_String_Transforms;Detects typical strings in a reversed or otherwise modified form;Internal Research;2016-07-31 00:00:00;60;Florian Roth;MAL,FILE,EXE -Korplug_FAST;Rule to detect Korplug/PlugX FAST variant;-;2015-08-20 00:00:00;70;Florian Roth;FILE,EXE -DarkEYEv3_Cryptor;Rule to detect DarkEYEv3 encrypted executables (often malware);http://darkeyev3.blogspot.fi/;2015-05-24 00:00:00;55;Florian Roth;FILE,EXE +ShadowPad_nssock2;Detects malicious nssock2.dll from ShadowPad incident - file nssock2.dll;https://securelist.com/shadowpad-in-corporate-networks/81432/;2017-08-15 00:00:00;70;Florian Roth;EXE,FILE +FIN7_Dropper_Aug17;Detects Word Dropper from Proofpoint FIN7 Report;https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor;2017-08-04 00:00:00;70;Florian Roth;MAL,OFFICE,RUSSIA,FILE +FIN7_Backdoor_Aug17;Detects Word Dropper from Proofpoint FIN7 Report;https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor;2017-08-04 00:00:00;70;Florian Roth;EXE,OFFICE,RUSSIA,MAL,FILE +APT6_Malware_Sample_Gen;Rule written for 2 malware samples that communicated to APT6 C2 servers;https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/;2016-04-09 00:00:00;80;Florian Roth;MAL,EXE,APT,FILE +Shamoon2_Wiper;Detects Shamoon 2.0 Wiper Component;https://goo.gl/jKIfGB;2016-12-01 00:00:00;70;Florian Roth;EXE,MIDDLE_EAST,FILE +Shamoon2_ComComp;Detects Shamoon 2.0 Communication Components;https://goo.gl/jKIfGB;2016-12-01 00:00:00;70;Florian Roth (with Binar.ly);EXE,MIDDLE_EAST,FILE +EldoS_RawDisk;EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0);https://goo.gl/jKIfGB;2016-12-01 00:00:00;50;Florian Roth (with Binar.ly);EXE,MIDDLE_EAST,FILE +Shamoon_Disttrack_Dropper;Detects Shamoon 2.0 Disttrack Dropper;https://goo.gl/jKIfGB;2016-12-01 00:00:00;70;Florian Roth;MAL,EXE,MIDDLE_EAST,FILE +CredentialStealer_Generic_Backdoor;Detects credential stealer byed on many strings that indicate password store access;Internal Research;2017-06-07 00:00:00;70;Florian Roth;GEN,EXE,FILE +Typical_Malware_String_Transforms;Detects typical strings in a reversed or otherwise modified form;Internal Research;2016-07-31 00:00:00;60;Florian Roth;MAL,EXE,FILE +Korplug_FAST;Rule to detect Korplug/PlugX FAST variant;-;2015-08-20 00:00:00;70;Florian Roth;EXE,FILE +DarkEYEv3_Cryptor;Rule to detect DarkEYEv3 encrypted executables (often malware);http://darkeyev3.blogspot.fi/;2015-05-24 00:00:00;55;Florian Roth;EXE,FILE APTGroupX_PlugXTrojanLoader_StringDecode;Rule to detect PlugX Malware;https://t.co/4xQ8G2mNap;1970-01-01 01:00:00;80;Jay DiMartino;MAL -LightFTP_fftp_x86_64;Detects a light FTP server;https://github.com/hfiref0x/LightFTP;2015-05-14 00:00:00;50;Florian Roth;FILE,EXE +LightFTP_fftp_x86_64;Detects a light FTP server;https://github.com/hfiref0x/LightFTP;2015-05-14 00:00:00;50;Florian Roth;EXE,FILE LightFTP_Config;Detects a light FTP server - config file;https://github.com/hfiref0x/LightFTP;2015-05-14 00:00:00;70;Florian Roth;FILE -HttpBrowser_RAT_dropper_Gen1;Threat Group 3390 APT Sample - HttpBrowser RAT Dropper;http://snip.ly/giNB;2015-08-06 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -HttpBrowser_RAT_Sample1;Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com;http://snip.ly/giNB;2015-08-06 00:00:00;80;Florian Roth;MAL,APT,FILE,EXE -HttpBrowser_RAT_Sample2;Threat Group 3390 APT Sample - HttpBrowser RAT Sample;http://snip.ly/giNB;2015-08-06 00:00:00;80;Florian Roth;MAL,APT,FILE,EXE -HttpBrowser_RAT_Gen;Threat Group 3390 APT Sample - HttpBrowser RAT Generic;http://snip.ly/giNB;2015-08-06 00:00:00;90;Florian Roth;APT,EXE,FILE,GEN,MAL -PlugX_NvSmartMax_Gen;Threat Group 3390 APT Sample - PlugX NvSmartMax Generic;http://snip.ly/giNB;2015-08-06 00:00:00;70;Florian Roth;GEN,APT,FILE,EXE -HttpBrowser_RAT_dropper_Gen2;Threat Group 3390 APT Sample - HttpBrowser RAT Dropper;http://snip.ly/giNB;2015-08-06 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE +HttpBrowser_RAT_dropper_Gen1;Threat Group 3390 APT Sample - HttpBrowser RAT Dropper;http://snip.ly/giNB;2015-08-06 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +HttpBrowser_RAT_Sample1;Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com;http://snip.ly/giNB;2015-08-06 00:00:00;80;Florian Roth;MAL,EXE,APT,FILE +HttpBrowser_RAT_Sample2;Threat Group 3390 APT Sample - HttpBrowser RAT Sample;http://snip.ly/giNB;2015-08-06 00:00:00;80;Florian Roth;MAL,EXE,APT,FILE +HttpBrowser_RAT_Gen;Threat Group 3390 APT Sample - HttpBrowser RAT Generic;http://snip.ly/giNB;2015-08-06 00:00:00;90;Florian Roth;EXE,MAL,GEN,APT,FILE +PlugX_NvSmartMax_Gen;Threat Group 3390 APT Sample - PlugX NvSmartMax Generic;http://snip.ly/giNB;2015-08-06 00:00:00;70;Florian Roth;GEN,EXE,APT,FILE +HttpBrowser_RAT_dropper_Gen2;Threat Group 3390 APT Sample - HttpBrowser RAT Dropper;http://snip.ly/giNB;2015-08-06 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE ThreatGroup3390_Strings;Threat Group 3390 APT - Strings;http://snip.ly/giNB;2015-08-06 00:00:00;60;Florian Roth;APT -ThreatGroup3390_C2;Threat Group 3390 APT - C2 Server;http://snip.ly/giNB;2015-08-06 00:00:00;60;Florian Roth;APT,FILE,EXE +ThreatGroup3390_C2;Threat Group 3390 APT - C2 Server;http://snip.ly/giNB;2015-08-06 00:00:00;60;Florian Roth;EXE,APT,FILE glassRAT;Detects GlassRAT by RSA (modified by Florian Roth - speed improvements);-;2015-11-03 00:00:00;70;RSA RESEARCH;MAL -GlassRAT_Generic;Detects GlassRAT Malware;https://blogs.rsa.com/peering-into-glassrat/;2015-11-23 00:00:00;80;Florian Roth;MAL,FILE,EXE -TurlaMosquito_Mal_1;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -TurlaMosquito_Mal_2;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -TurlaMosquito_Mal_3;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -TurlaMosquito_Mal_4;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -TurlaMosquito_Mal_5;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -TurlaMosquito_Mal_6;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -TurlaMosquito_Mal_7;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE +GlassRAT_Generic;Detects GlassRAT Malware;https://blogs.rsa.com/peering-into-glassrat/;2015-11-23 00:00:00;80;Florian Roth;MAL,EXE,FILE +TurlaMosquito_Mal_1;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +TurlaMosquito_Mal_2;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +TurlaMosquito_Mal_3;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +TurlaMosquito_Mal_4;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +TurlaMosquito_Mal_5;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +TurlaMosquito_Mal_6;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +TurlaMosquito_Mal_7;Detects malware sample from Turla Mosquito report;https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf;2018-02-22 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE Msfpayloads_msf;Metasploit Payloads - file msf.sh;Internal Research;2017-02-09 00:00:00;70;Florian Roth;METASPLOIT,FILE Msfpayloads_msf_2;Metasploit Payloads - file msf.asp;Internal Research;2017-02-09 00:00:00;70;Florian Roth;METASPLOIT Msfpayloads_msf_psh;Metasploit Payloads - file msf-psh.vba;Internal Research;2017-02-09 00:00:00;70;Florian Roth;METASPLOIT @@ -591,39 +592,39 @@ Msfpayloads_msf_7;Metasploit Payloads - file msf.vba;Internal Research;2017-02-0 Msfpayloads_msf_8;Metasploit Payloads - file msf.ps1;Internal Research;2017-02-09 00:00:00;70;Florian Roth;METASPLOIT Msfpayloads_msf_cmd;Metasploit Payloads - file msf-cmd.ps1;Internal Research;2017-02-09 00:00:00;70;Florian Roth;METASPLOIT Msfpayloads_msf_9;Metasploit Payloads - file msf.war - contents;Internal Research;2017-02-09 00:00:00;70;Florian Roth;METASPLOIT -Msfpayloads_msf_10;Metasploit Payloads - file msf.exe;Internal Research;2017-02-09 00:00:00;70;Florian Roth;METASPLOIT,FILE,EXE -Msfpayloads_msf_svc;Metasploit Payloads - file msf-svc.exe;Internal Research;2017-02-09 00:00:00;70;Florian Roth;METASPLOIT,FILE,EXE +Msfpayloads_msf_10;Metasploit Payloads - file msf.exe;Internal Research;2017-02-09 00:00:00;70;Florian Roth;EXE,METASPLOIT,FILE +Msfpayloads_msf_svc;Metasploit Payloads - file msf-svc.exe;Internal Research;2017-02-09 00:00:00;70;Florian Roth;EXE,METASPLOIT,FILE Msfpayloads_msf_11;Metasploit Payloads - file msf.hta;Internal Research;2017-02-09 00:00:00;70;Florian Roth;METASPLOIT Msfpayloads_msf_ref;Metasploit Payloads - file msf-ref.ps1;Internal Research;2017-02-09 00:00:00;70;Florian Roth;METASPLOIT -MAL_Metasploit_Framework_UA;Detects User Agent used in Metasploit Framework;https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7;2018-08-16 00:00:00;65;Florian Roth;METASPLOIT,FILE,EXE -Industroyer_Malware_1;Detects Industroyer related malware;https://goo.gl/x81cSy;2017-06-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -Industroyer_Malware_2;Detects Industroyer related malware;https://goo.gl/x81cSy;2017-06-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -Industroyer_Portscan_3;Detects Industroyer related custom port scaner;https://goo.gl/x81cSy;2017-06-13 00:00:00;70;Florian Roth;FILE,EXE +MAL_Metasploit_Framework_UA;Detects User Agent used in Metasploit Framework;https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7;2018-08-16 00:00:00;65;Florian Roth;EXE,METASPLOIT,FILE +Industroyer_Malware_1;Detects Industroyer related malware;https://goo.gl/x81cSy;2017-06-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +Industroyer_Malware_2;Detects Industroyer related malware;https://goo.gl/x81cSy;2017-06-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +Industroyer_Portscan_3;Detects Industroyer related custom port scaner;https://goo.gl/x81cSy;2017-06-13 00:00:00;70;Florian Roth;EXE,FILE Industroyer_Portscan_3_Output;Detects Industroyer related custom port scaner output file;https://goo.gl/x81cSy;2017-06-13 00:00:00;70;Florian Roth; -Industroyer_Malware_4;Detects Industroyer related malware;https://goo.gl/x81cSy;2017-06-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -Industroyer_Malware_5;Detects Industroyer related malware;https://goo.gl/x81cSy;2017-06-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -Emdivi_SFX;Detects Emdivi malware in SFX Archive;https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/;2015-08-20 00:00:00;70;Florian Roth @Cyber0ps;FILE,EXE -Emdivi_Gen1;Detects Emdivi Malware;https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/;2015-08-20 00:00:00;80;Florian Roth @Cyber0ps;MAL,FILE,EXE -Emdivi_Gen2;Detects Emdivi Malware;https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/;2015-08-20 00:00:00;80;Florian Roth @Cyber0ps;MAL,FILE,EXE -Emdivi_Gen3;Detects Emdivi Malware;https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/;2015-08-20 00:00:00;80;Florian Roth @Cyber0ps;MAL,FILE,EXE -Emdivi_Gen4;Detects Emdivi Malware;https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/;2015-08-20 00:00:00;80;Florian Roth @Cyber0ps;MAL,FILE,EXE +Industroyer_Malware_4;Detects Industroyer related malware;https://goo.gl/x81cSy;2017-06-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +Industroyer_Malware_5;Detects Industroyer related malware;https://goo.gl/x81cSy;2017-06-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +Emdivi_SFX;Detects Emdivi malware in SFX Archive;https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/;2015-08-20 00:00:00;70;Florian Roth @Cyber0ps;EXE,FILE +Emdivi_Gen1;Detects Emdivi Malware;https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/;2015-08-20 00:00:00;80;Florian Roth @Cyber0ps;MAL,EXE,FILE +Emdivi_Gen2;Detects Emdivi Malware;https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/;2015-08-20 00:00:00;80;Florian Roth @Cyber0ps;MAL,EXE,FILE +Emdivi_Gen3;Detects Emdivi Malware;https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/;2015-08-20 00:00:00;80;Florian Roth @Cyber0ps;MAL,EXE,FILE +Emdivi_Gen4;Detects Emdivi Malware;https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/;2015-08-20 00:00:00;80;Florian Roth @Cyber0ps;MAL,EXE,FILE crime_ole_loadswf_cve_2018_4878;Detects CVE-2018-4878;hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998;1970-01-01 01:00:00;70;Vitali Kremez, Flashpoint;EXPLOIT -rtf_CVE_2018_0802;Attempts to exploit CVE-2018-0802;http://www.freebuf.com/vuls/159789.html;1970-01-01 01:00:00;70;Rich Warren;FILE,EXPLOIT -KR_Target_Malware_Aug17;Detects malware that targeted South Korea in Aug 2017 - file MRDqsbuEqGxrgqtbXU.exe;https://twitter.com/eyalsela/status/900250203097354240;2017-08-23 00:00:00;70;Florian Roth;MAL,FILE,EXE -Unspecified_Malware_Jul17_2C;Unspecified Malware - CN relation;https://goo.gl/CX3KaY;2017-07-18 00:00:00;70;Florian Roth;MAL,FILE,EXE +rtf_CVE_2018_0802;Attempts to exploit CVE-2018-0802;http://www.freebuf.com/vuls/159789.html;1970-01-01 01:00:00;70;Rich Warren;EXPLOIT,FILE +KR_Target_Malware_Aug17;Detects malware that targeted South Korea in Aug 2017 - file MRDqsbuEqGxrgqtbXU.exe;https://twitter.com/eyalsela/status/900250203097354240;2017-08-23 00:00:00;70;Florian Roth;MAL,EXE,FILE +Unspecified_Malware_Jul17_2C;Unspecified Malware - CN relation;https://goo.gl/CX3KaY;2017-07-18 00:00:00;70;Florian Roth;MAL,EXE,FILE Mimipenguin_SH;Detects Mimipenguin Password Extractor - Linux;https://github.com/huntergregal/mimipenguin;2017-04-01 00:00:00;70;Florian Roth;LINUX mimipenguin_1;Detects Mimipenguin hack tool;https://github.com/huntergregal/mimipenguin;2017-07-08 00:00:00;70;Florian Roth;FILE mimipenguin_2;Detects Mimipenguin hack tool;https://github.com/huntergregal/mimipenguin;2017-07-08 00:00:00;70;Florian Roth;FILE Mirai_Botnet_Malware;Detects Mirai Botnet Malware;Internal Research;2016-10-04 00:00:00;70;Florian Roth;MAL,FILE Mirai_1_May17;Detects Mirai Malware;Internal Research;2017-05-12 00:00:00;70;Florian Roth;MAL,FILE Miari_2_May17;Detects Mirai Malware;Internal Research;2017-05-12 00:00:00;70;Florian Roth;MAL,FILE -MAL_ELF_LNX_Mirai_Oct10_1;Detects ELF Mirai variant;Internal Research;2018-10-27 00:00:00;70;Florian Roth;FILE,LINUX -MAL_ELF_LNX_Mirai_Oct10_2;Detects ELF malware Mirai related;Internal Research;2018-10-27 00:00:00;70;Florian Roth;FILE,LINUX -rtf_cve2017_11882_ole;Attempts to identify the exploit CVE 2017 11882;https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about;1970-01-01 01:00:00;60;John Davison;EXTVAR,EXPLOIT -rtf_cve2017_11882;Attempts to identify the exploit CVE 2017 11882;https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about;1970-01-01 01:00:00;60;John Davison;EXTVAR,EXPLOIT -packager_cve2017_11882;Attempts to exploit CVE-2017-11882 using Packager;https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py;1970-01-01 01:00:00;60;Rich Warren;FILE,EXPLOIT -CVE_2017_11882_RTF;Detects suspicious Microsoft Equation OLE contents as used in CVE-2017-11882;Internal Research;2018-02-13 00:00:00;60;Florian Roth;FILE,EXPLOIT -EXP_potential_CVE_2017_11882;-;https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html;1970-01-01 01:00:00;70;ReversingLabs;FILE,EXPLOIT +MAL_ELF_LNX_Mirai_Oct10_1;Detects ELF Mirai variant;Internal Research;2018-10-27 00:00:00;70;Florian Roth;LINUX,FILE +MAL_ELF_LNX_Mirai_Oct10_2;Detects ELF malware Mirai related;Internal Research;2018-10-27 00:00:00;70;Florian Roth;LINUX,FILE +rtf_cve2017_11882_ole;Attempts to identify the exploit CVE 2017 11882;https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about;1970-01-01 01:00:00;60;John Davison;EXPLOIT,EXTVAR +rtf_cve2017_11882;Attempts to identify the exploit CVE 2017 11882;https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about;1970-01-01 01:00:00;60;John Davison;EXPLOIT,EXTVAR +packager_cve2017_11882;Attempts to exploit CVE-2017-11882 using Packager;https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py;1970-01-01 01:00:00;60;Rich Warren;EXPLOIT,FILE +CVE_2017_11882_RTF;Detects suspicious Microsoft Equation OLE contents as used in CVE-2017-11882;Internal Research;2018-02-13 00:00:00;60;Florian Roth;EXPLOIT,FILE +EXP_potential_CVE_2017_11882;-;https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html;1970-01-01 01:00:00;70;ReversingLabs;EXPLOIT,FILE iexplore_ANOMALY;Abnormal iexplore.exe - typical strings not found in file;-;2014-04-23 00:00:00;55;Florian Roth;EXTVAR svchost_ANOMALY;Abnormal svchost.exe - typical strings not found in file;-;2014-04-23 00:00:00;55;Florian Roth;EXTVAR explorer_ANOMALY;Abnormal explorer.exe - typical strings not found in file;-;2014-05-27 00:00:00;55;Florian Roth;EXTVAR @@ -641,157 +642,157 @@ SndVol_ANOMALY;Anomaly rule looking for certain strings in a system file (maybe doskey_ANOMALY;Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file doskey.exe;not set;2015-03-16 00:00:00;70;Florian Roth;EXTVAR lsass_ANOMALY;Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file lsass.exe;not set;2015-03-16 00:00:00;70;Florian Roth;EXTVAR taskmgr_ANOMALY;Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe;not set;2015-03-16 00:00:00;70;Florian Roth;EXTVAR -APT_Cloaked_PsExec;Looks like a cloaked PsExec. May be APT group activity.;-;2014-07-18 00:00:00;60;Florian Roth;EXTVAR,APT,FILE,EXE -APT_Cloaked_SuperScan;Looks like a cloaked SuperScan Port Scanner. May be APT group activity.;-;2014-07-18 00:00:00;50;Florian Roth;EXTVAR,HKTL,APT -APT_Cloaked_ScanLine;Looks like a cloaked ScanLine Port Scanner. May be APT group activity.;-;2014-07-18 00:00:00;50;Florian Roth;EXTVAR,HKTL,APT +APT_Cloaked_PsExec;Looks like a cloaked PsExec. May be APT group activity.;-;2014-07-18 00:00:00;60;Florian Roth;EXTVAR,EXE,APT,FILE +APT_Cloaked_SuperScan;Looks like a cloaked SuperScan Port Scanner. May be APT group activity.;-;2014-07-18 00:00:00;50;Florian Roth;APT,HKTL,EXTVAR +APT_Cloaked_ScanLine;Looks like a cloaked ScanLine Port Scanner. May be APT group activity.;-;2014-07-18 00:00:00;50;Florian Roth;APT,HKTL,EXTVAR SAM_Hive_Backup;Detects a SAM hive backup file;https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump;2015-03-31 00:00:00;60;Florian Roth;EXTVAR,FILE -SUSP_Renamed_Dot1Xtray;Detects a legitimate renamed dot1ctray.exe, which is often used by PlugX for DLL side-loading;Internal Research;2018-11-15 00:00:00;70;Florian Roth;EXTVAR,FILE,EXE -mswin_check_lm_group;Chinese Hacktool Set - file mswin_check_lm_group.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -WAF_Bypass;Chinese Hacktool Set - file WAF-Bypass.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Guilin_veterans_cookie_spoofing_tool;Chinese Hacktool Set - file Guilin veterans cookie spoofing tool.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -MarathonTool;Chinese Hacktool Set - file MarathonTool.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -PLUGIN_TracKid;Chinese Hacktool Set - file TracKid.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Pc_pc2015;Chinese Hacktool Set - file pc2015.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -sekurlsa;Chinese Hacktool Set - file sekurlsa.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -mysqlfast;Chinese Hacktool Set - file mysqlfast.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -DTools2_02_DTools;Chinese Hacktool Set - file DTools.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -dll_PacketX;Chinese Hacktool Set - file PacketX.dll - ActiveX wrapper for WinPcap packet capture library;http://tools.zjqhr.com/;2015-06-13 00:00:00;50;Florian Roth;HKTL,CHINA,FILE,EXE -SqlDbx_zhs;Chinese Hacktool Set - file SqlDbx_zhs.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -ms10048_x86;Chinese Hacktool Set - file ms10048-x86.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_ch;Chinese Hacktool Set - file ch.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -DUBrute_DUBrute;Chinese Hacktool Set - file DUBrute.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CookieTools;Chinese Hacktool Set - file CookieTools.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -update_PcInit;Chinese Hacktool Set - file PcInit.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -dat_NaslLib;Chinese Hacktool Set - file NaslLib.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_1;Chinese Hacktool Set - file 1.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -OtherTools_servu;Chinese Hacktool Set - file svu.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA -ustrrefadd;Chinese Hacktool Set - file ustrrefadd.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -XScanLib;Chinese Hacktool Set - file XScanLib.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -IDTools_For_WinXP_IdtTool;Chinese Hacktool Set - file IdtTool.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -GoodToolset_ms11046;Chinese Hacktool Set - file ms11046.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Cmdshell32;Chinese Hacktool Set - file Cmdshell32.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Sniffer_analyzer_SSClone_1210_full_version;Chinese Hacktool Set - file Sniffer analyzer SSClone 1210 full version.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -x64_klock;Chinese Hacktool Set - file klock.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_Down32;Chinese Hacktool Set - file Down32.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -MarathonTool_2;Chinese Hacktool Set - file MarathonTool.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -scanms_scanms;Chinese Hacktool Set - file scanms.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CN_Tools_PcShare;Chinese Hacktool Set - file PcShare.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -pw_inspector;Chinese Hacktool Set - file pw-inspector.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dll_LoadEx;Chinese Hacktool Set - file Dll_LoadEx.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -dat_report;Chinese Hacktool Set - file report.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_iis7;Chinese Hacktool Set - file iis7.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -SwitchSniffer;Chinese Hacktool Set - file SwitchSniffer.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -dbexpora;Chinese Hacktool Set - file dbexpora.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -SQLCracker;Chinese Hacktool Set - file SQLCracker.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -FreeVersion_debug;Chinese Hacktool Set - file debug.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_look;Chinese Hacktool Set - file look.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -NtGodMode;Chinese Hacktool Set - file NtGodMode.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -WebCrack4_RouterPasswordCracking;Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -hscan_gui;Chinese Hacktool Set - file hscan-gui.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -S_MultiFunction_Scanners_s;Chinese Hacktool Set - file s.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_GetPass;Chinese Hacktool Set - file GetPass.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -update_PcMain;Chinese Hacktool Set - file PcMain.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_sys;Chinese Hacktool Set - file sys.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -dat_xpf;Chinese Hacktool Set - file xpf.sys;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Project1;Chinese Hacktool Set - file Project1.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Arp_EMP_v1_0;Chinese Hacktool Set - file Arp EMP v1.0.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CN_Tools_MyUPnP;Chinese Hacktool Set - file MyUPnP.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CN_Tools_Shiell;Chinese Hacktool Set - file Shiell.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -cndcom_cndcom;Chinese Hacktool Set - file cndcom.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -IsDebug_V1_4;Chinese Hacktool Set - file IsDebug V1.4.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -HTTPSCANNER;Chinese Hacktool Set - file HTTPSCANNER.EXE;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -HScan_v1_20_PipeCmd;Chinese Hacktool Set - file PipeCmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_fp;Chinese Hacktool Set - file fp.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_netstat;Chinese Hacktool Set - file netstat.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CN_Tools_xsniff;Chinese Hacktool Set - file xsniff.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -MSSqlPass;Chinese Hacktool Set - file MSSqlPass.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -WSockExpert;Chinese Hacktool Set - file WSockExpert.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Ms_Viru_racle;Chinese Hacktool Set - file racle.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -lamescan3;Chinese Hacktool Set - file lamescan3.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CN_Tools_pc;Chinese Hacktool Set - file pc.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_Down64;Chinese Hacktool Set - file Down64.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -epathobj_exp32;Chinese Hacktool Set - file epathobj_exp32.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Tools_unknown;Chinese Hacktool Set - file unknown.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -PLUGIN_AJunk;Chinese Hacktool Set - file AJunk.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -IISPutScanner;Chinese Hacktool Set - file IISPutScanner.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -IDTools_For_WinXP_IdtTool_2;Chinese Hacktool Set - file IdtTool.sys;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -hkmjjiis6;Chinese Hacktool Set - file hkmjjiis6.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_lcx;Chinese Hacktool Set - file lcx.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -x_way2_5_X_way;Chinese Hacktool Set - file X-way.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -tools_Sqlcmd;Chinese Hacktool Set - file Sqlcmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Sword1_5;Chinese Hacktool Set - file Sword1.5.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Tools_scan;Chinese Hacktool Set - file scan.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_c;Chinese Hacktool Set - file c.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -arpsniffer;Chinese Hacktool Set - file arpsniffer.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -pw_inspector_2;Chinese Hacktool Set - file pw-inspector.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -datPcShare;Chinese Hacktool Set - file datPcShare.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Tools_xport;Chinese Hacktool Set - file xport.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Pc_xai;Chinese Hacktool Set - file xai.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Radmin_Hash;Chinese Hacktool Set - file Radmin_Hash.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -OSEditor;Chinese Hacktool Set - file OSEditor.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -GoodToolset_ms11011;Chinese Hacktool Set - file ms11011.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -FreeVersion_release;Chinese Hacktool Set - file release.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -churrasco;Chinese Hacktool Set - file churrasco.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -x64_KiwiCmd;Chinese Hacktool Set - file KiwiCmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -sql1433_SQL;Chinese Hacktool Set - file SQL.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CookieTools2;Chinese Hacktool Set - file CookieTools2.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -cyclotron;Chinese Hacktool Set - file cyclotron.sys;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -xscan_gui;Chinese Hacktool Set - file xscan_gui.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CN_Tools_hscan;Chinese Hacktool Set - file hscan.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -GoodToolset_pr;Chinese Hacktool Set - file pr.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -hydra_7_4_1_hydra;Chinese Hacktool Set - file hydra.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CN_Tools_srss_2;Chinese Hacktool Set - file srss.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_NtGod;Chinese Hacktool Set - file NtGod.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CN_Tools_VNCLink;Chinese Hacktool Set - file VNCLink.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -tools_NTCmd;Chinese Hacktool Set - file NTCmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -mysql_pwd_crack;Chinese Hacktool Set - file mysql_pwd_crack.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CmdShell64;Chinese Hacktool Set - file CmdShell64.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Ms_Viru_v;Chinese Hacktool Set - file v.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -CN_Tools_Vscan;Chinese Hacktool Set - file Vscan.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Dos_iis;Chinese Hacktool Set - file iis.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -IISPutScannesr;Chinese Hacktool Set - file IISPutScannesr.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Generate;Chinese Hacktool Set - file Generate.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,FILE,HKTL,GEN -Pc_rejoice;Chinese Hacktool Set - file rejoice.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -ms11080_withcmd;Chinese Hacktool Set - file ms11080_withcmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -OtherTools_xiaoa;Chinese Hacktool Set - file xiaoa.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -unknown2;Chinese Hacktool Set - file unknown2.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -hydra_7_3_hydra;Chinese Hacktool Set - file hydra.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -OracleScan;Chinese Hacktool Set - file OracleScan.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -SQLTools;Chinese Hacktool Set - file SQLTools.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -portscanner;Chinese Hacktool Set - file portscanner.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -kappfree;Chinese Hacktool Set - file kappfree.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Smartniff;Chinese Hacktool Set - file Smartniff.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -ChinaChopper_caidao;Chinese Hacktool Set - file caidao.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -KiwiTaskmgr_2;Chinese Hacktool Set - file KiwiTaskmgr.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -kappfree_2;Chinese Hacktool Set - file kappfree.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -x_way2_5_sqlcmd;Chinese Hacktool Set - file sqlcmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -Win32_klock;Chinese Hacktool Set - file klock.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -ipsearcher;Chinese Hacktool Set - file ipsearcher.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -ms10048_x64;Chinese Hacktool Set - file ms10048-x64.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -hscangui;Chinese Hacktool Set - file hscangui.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -GoodToolset_ms11080;Chinese Hacktool Set - file ms11080.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -epathobj_exp64;Chinese Hacktool Set - file epathobj_exp64.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -kelloworld_2;Chinese Hacktool Set - file kelloworld.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -HScan_v1_20_hscan;Chinese Hacktool Set - file hscan.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -_Project1_Generate_rejoice;Chinese Hacktool Set - from files Project1.exe, Generate.exe, rejoice.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,FILE,HKTL,GEN -_hscan_hscan_hscangui;Chinese Hacktool Set - from files hscan.exe, hscan.exe, hscangui.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -kiwi_tools;Chinese Hacktool Set;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -kiwi_tools_gentil_kiwi;Chinese Hacktool Set;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,EXE -EnigmaPacker_Rare;Detects an ENIGMA packed executable;Internal Research;2017-04-27 00:00:00;60;Florian Roth;FILE,EXE -Enigma_Protected_Malware_May17_RhxFiles;Auto-generated rule - file RhxFiles.dll;Internal Research;2017-05-02 00:00:00;70;Florian Roth with the help of binar.ly;MAL,FILE,EXE -Enigma_Protected_Malware;Detects samples packed by Enigma Protector;https://goo.gl/OEVQ9w;2017-02-03 00:00:00;70;Florian Roth with the help of binar.ly;FILE,EXE -MAL_LNX_SSHDOOR_Triton;Signature detecting ;https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf;2018-12-05 00:00:00;70;Marc-Etienne M.Leveille, modified by Florian Roth;FILE,LINUX -KHRAT_Malware;Detects an Imphash of KHRAT malware;https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/;2017-08-31 00:00:00;70;Florian Roth;MAL,FILE,EXE +SUSP_Renamed_Dot1Xtray;Detects a legitimate renamed dot1ctray.exe, which is often used by PlugX for DLL side-loading;Internal Research;2018-11-15 00:00:00;70;Florian Roth;EXTVAR,EXE,FILE +mswin_check_lm_group;Chinese Hacktool Set - file mswin_check_lm_group.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +WAF_Bypass;Chinese Hacktool Set - file WAF-Bypass.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Guilin_veterans_cookie_spoofing_tool;Chinese Hacktool Set - file Guilin veterans cookie spoofing tool.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +MarathonTool;Chinese Hacktool Set - file MarathonTool.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +PLUGIN_TracKid;Chinese Hacktool Set - file TracKid.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Pc_pc2015;Chinese Hacktool Set - file pc2015.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +sekurlsa;Chinese Hacktool Set - file sekurlsa.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +mysqlfast;Chinese Hacktool Set - file mysqlfast.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +DTools2_02_DTools;Chinese Hacktool Set - file DTools.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +dll_PacketX;Chinese Hacktool Set - file PacketX.dll - ActiveX wrapper for WinPcap packet capture library;http://tools.zjqhr.com/;2015-06-13 00:00:00;50;Florian Roth;EXE,CHINA,HKTL,FILE +SqlDbx_zhs;Chinese Hacktool Set - file SqlDbx_zhs.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +ms10048_x86;Chinese Hacktool Set - file ms10048-x86.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_ch;Chinese Hacktool Set - file ch.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +DUBrute_DUBrute;Chinese Hacktool Set - file DUBrute.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CookieTools;Chinese Hacktool Set - file CookieTools.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +update_PcInit;Chinese Hacktool Set - file PcInit.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +dat_NaslLib;Chinese Hacktool Set - file NaslLib.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_1;Chinese Hacktool Set - file 1.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +OtherTools_servu;Chinese Hacktool Set - file svu.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;CHINA,HKTL +ustrrefadd;Chinese Hacktool Set - file ustrrefadd.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +XScanLib;Chinese Hacktool Set - file XScanLib.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +IDTools_For_WinXP_IdtTool;Chinese Hacktool Set - file IdtTool.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +GoodToolset_ms11046;Chinese Hacktool Set - file ms11046.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Cmdshell32;Chinese Hacktool Set - file Cmdshell32.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Sniffer_analyzer_SSClone_1210_full_version;Chinese Hacktool Set - file Sniffer analyzer SSClone 1210 full version.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +x64_klock;Chinese Hacktool Set - file klock.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_Down32;Chinese Hacktool Set - file Down32.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +MarathonTool_2;Chinese Hacktool Set - file MarathonTool.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +scanms_scanms;Chinese Hacktool Set - file scanms.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CN_Tools_PcShare;Chinese Hacktool Set - file PcShare.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +pw_inspector;Chinese Hacktool Set - file pw-inspector.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dll_LoadEx;Chinese Hacktool Set - file Dll_LoadEx.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +dat_report;Chinese Hacktool Set - file report.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_iis7;Chinese Hacktool Set - file iis7.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +SwitchSniffer;Chinese Hacktool Set - file SwitchSniffer.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +dbexpora;Chinese Hacktool Set - file dbexpora.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +SQLCracker;Chinese Hacktool Set - file SQLCracker.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +FreeVersion_debug;Chinese Hacktool Set - file debug.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_look;Chinese Hacktool Set - file look.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +NtGodMode;Chinese Hacktool Set - file NtGodMode.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +WebCrack4_RouterPasswordCracking;Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +hscan_gui;Chinese Hacktool Set - file hscan-gui.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +S_MultiFunction_Scanners_s;Chinese Hacktool Set - file s.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_GetPass;Chinese Hacktool Set - file GetPass.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +update_PcMain;Chinese Hacktool Set - file PcMain.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_sys;Chinese Hacktool Set - file sys.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +dat_xpf;Chinese Hacktool Set - file xpf.sys;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Project1;Chinese Hacktool Set - file Project1.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Arp_EMP_v1_0;Chinese Hacktool Set - file Arp EMP v1.0.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CN_Tools_MyUPnP;Chinese Hacktool Set - file MyUPnP.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CN_Tools_Shiell;Chinese Hacktool Set - file Shiell.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +cndcom_cndcom;Chinese Hacktool Set - file cndcom.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +IsDebug_V1_4;Chinese Hacktool Set - file IsDebug V1.4.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +HTTPSCANNER;Chinese Hacktool Set - file HTTPSCANNER.EXE;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +HScan_v1_20_PipeCmd;Chinese Hacktool Set - file PipeCmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_fp;Chinese Hacktool Set - file fp.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_netstat;Chinese Hacktool Set - file netstat.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CN_Tools_xsniff;Chinese Hacktool Set - file xsniff.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +MSSqlPass;Chinese Hacktool Set - file MSSqlPass.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +WSockExpert;Chinese Hacktool Set - file WSockExpert.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Ms_Viru_racle;Chinese Hacktool Set - file racle.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +lamescan3;Chinese Hacktool Set - file lamescan3.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CN_Tools_pc;Chinese Hacktool Set - file pc.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_Down64;Chinese Hacktool Set - file Down64.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +epathobj_exp32;Chinese Hacktool Set - file epathobj_exp32.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Tools_unknown;Chinese Hacktool Set - file unknown.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +PLUGIN_AJunk;Chinese Hacktool Set - file AJunk.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +IISPutScanner;Chinese Hacktool Set - file IISPutScanner.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +IDTools_For_WinXP_IdtTool_2;Chinese Hacktool Set - file IdtTool.sys;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +hkmjjiis6;Chinese Hacktool Set - file hkmjjiis6.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_lcx;Chinese Hacktool Set - file lcx.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +x_way2_5_X_way;Chinese Hacktool Set - file X-way.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +tools_Sqlcmd;Chinese Hacktool Set - file Sqlcmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Sword1_5;Chinese Hacktool Set - file Sword1.5.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Tools_scan;Chinese Hacktool Set - file scan.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_c;Chinese Hacktool Set - file c.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +arpsniffer;Chinese Hacktool Set - file arpsniffer.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +pw_inspector_2;Chinese Hacktool Set - file pw-inspector.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +datPcShare;Chinese Hacktool Set - file datPcShare.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Tools_xport;Chinese Hacktool Set - file xport.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Pc_xai;Chinese Hacktool Set - file xai.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Radmin_Hash;Chinese Hacktool Set - file Radmin_Hash.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +OSEditor;Chinese Hacktool Set - file OSEditor.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +GoodToolset_ms11011;Chinese Hacktool Set - file ms11011.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +FreeVersion_release;Chinese Hacktool Set - file release.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +churrasco;Chinese Hacktool Set - file churrasco.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +x64_KiwiCmd;Chinese Hacktool Set - file KiwiCmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +sql1433_SQL;Chinese Hacktool Set - file SQL.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CookieTools2;Chinese Hacktool Set - file CookieTools2.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +cyclotron;Chinese Hacktool Set - file cyclotron.sys;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +xscan_gui;Chinese Hacktool Set - file xscan_gui.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CN_Tools_hscan;Chinese Hacktool Set - file hscan.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +GoodToolset_pr;Chinese Hacktool Set - file pr.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +hydra_7_4_1_hydra;Chinese Hacktool Set - file hydra.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CN_Tools_srss_2;Chinese Hacktool Set - file srss.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_NtGod;Chinese Hacktool Set - file NtGod.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CN_Tools_VNCLink;Chinese Hacktool Set - file VNCLink.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +tools_NTCmd;Chinese Hacktool Set - file NTCmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +mysql_pwd_crack;Chinese Hacktool Set - file mysql_pwd_crack.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CmdShell64;Chinese Hacktool Set - file CmdShell64.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Ms_Viru_v;Chinese Hacktool Set - file v.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +CN_Tools_Vscan;Chinese Hacktool Set - file Vscan.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Dos_iis;Chinese Hacktool Set - file iis.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +IISPutScannesr;Chinese Hacktool Set - file IISPutScannesr.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Generate;Chinese Hacktool Set - file Generate.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,GEN,FILE +Pc_rejoice;Chinese Hacktool Set - file rejoice.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +ms11080_withcmd;Chinese Hacktool Set - file ms11080_withcmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +OtherTools_xiaoa;Chinese Hacktool Set - file xiaoa.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +unknown2;Chinese Hacktool Set - file unknown2.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +hydra_7_3_hydra;Chinese Hacktool Set - file hydra.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +OracleScan;Chinese Hacktool Set - file OracleScan.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +SQLTools;Chinese Hacktool Set - file SQLTools.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +portscanner;Chinese Hacktool Set - file portscanner.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +kappfree;Chinese Hacktool Set - file kappfree.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Smartniff;Chinese Hacktool Set - file Smartniff.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +ChinaChopper_caidao;Chinese Hacktool Set - file caidao.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +KiwiTaskmgr_2;Chinese Hacktool Set - file KiwiTaskmgr.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +kappfree_2;Chinese Hacktool Set - file kappfree.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +x_way2_5_sqlcmd;Chinese Hacktool Set - file sqlcmd.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +Win32_klock;Chinese Hacktool Set - file klock.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +ipsearcher;Chinese Hacktool Set - file ipsearcher.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +ms10048_x64;Chinese Hacktool Set - file ms10048-x64.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +hscangui;Chinese Hacktool Set - file hscangui.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +GoodToolset_ms11080;Chinese Hacktool Set - file ms11080.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +epathobj_exp64;Chinese Hacktool Set - file epathobj_exp64.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +kelloworld_2;Chinese Hacktool Set - file kelloworld.dll;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +HScan_v1_20_hscan;Chinese Hacktool Set - file hscan.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +_Project1_Generate_rejoice;Chinese Hacktool Set - from files Project1.exe, Generate.exe, rejoice.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,GEN,FILE +_hscan_hscan_hscangui;Chinese Hacktool Set - from files hscan.exe, hscan.exe, hscangui.exe;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +kiwi_tools;Chinese Hacktool Set;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +kiwi_tools_gentil_kiwi;Chinese Hacktool Set;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;EXE,CHINA,HKTL,FILE +EnigmaPacker_Rare;Detects an ENIGMA packed executable;Internal Research;2017-04-27 00:00:00;60;Florian Roth;EXE,FILE +Enigma_Protected_Malware_May17_RhxFiles;Auto-generated rule - file RhxFiles.dll;Internal Research;2017-05-02 00:00:00;70;Florian Roth with the help of binar.ly;MAL,EXE,FILE +Enigma_Protected_Malware;Detects samples packed by Enigma Protector;https://goo.gl/OEVQ9w;2017-02-03 00:00:00;70;Florian Roth with the help of binar.ly;EXE,FILE +MAL_LNX_SSHDOOR_Triton;Signature detecting ;https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf;2018-12-05 00:00:00;70;Marc-Etienne M.Leveille, modified by Florian Roth;LINUX,FILE +KHRAT_Malware;Detects an Imphash of KHRAT malware;https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/;2017-08-31 00:00:00;70;Florian Roth;MAL,EXE,FILE MAL_KHRAT_script;Rule derived from KHRAT script but can match on other malicious scripts as well;https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/;2017-08-31 00:00:00;70;Florian Roth;MAL MAL_KHRAT_scritplet;Rule derived from KHRAT scriptlet;https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/;2017-08-31 00:00:00;70;Florian Roth;MAL,FILE -APT_Tick_Sysmon_Loader_Jun18;Detects Sysmon Loader from Tick group incident - Weaponized USB;https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/;2018-06-23 00:00:00;70;Florian Roth;FILE,EXE -APT_Tick_HomamDownloader_Jun18;Detects HomamDownloader from Tick group incident - Weaponized USB;https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/;2018-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Webshell_PHP_php5;Webshell from CN Honker Pentest Toolset - file php5.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,WEBSHELL -CN_Honker_Webshell_test3693;Webshell from CN Honker Pentest Toolset - file test3693.war;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,WEBSHELL +APT_Tick_Sysmon_Loader_Jun18;Detects Sysmon Loader from Tick group incident - Weaponized USB;https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/;2018-06-23 00:00:00;70;Florian Roth;EXE,FILE +APT_Tick_HomamDownloader_Jun18;Detects HomamDownloader from Tick group incident - Weaponized USB;https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/;2018-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Webshell_PHP_php5;Webshell from CN Honker Pentest Toolset - file php5.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL,FILE +CN_Honker_Webshell_test3693;Webshell from CN Honker Pentest Toolset - file test3693.war;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL,FILE CN_Honker_Webshell_mycode12;Webshell from CN Honker Pentest Toolset - file mycode12.cfm;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_offlibrary;Webshell from CN Honker Pentest Toolset - file offlibrary.php;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL -CN_Honker_Webshell_cfm_xl;Webshell from CN Honker Pentest Toolset - file xl.cfm;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,WEBSHELL -CN_Honker_Webshell_PHP_linux;Webshell from CN Honker Pentest Toolset - file linux.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,WEBSHELL +CN_Honker_Webshell_cfm_xl;Webshell from CN Honker Pentest Toolset - file xl.cfm;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL,FILE +CN_Honker_Webshell_PHP_linux;Webshell from CN Honker Pentest Toolset - file linux.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL,FILE CN_Honker_Webshell_Interception3389_get;Webshell from CN Honker Pentest Toolset - file get.asp;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_nc_1;Webshell from CN Honker Pentest Toolset - file 1.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_PHP_BlackSky;Webshell from CN Honker Pentest Toolset - file php6.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL @@ -800,7 +801,7 @@ CN_Honker_Webshell_ASPX_sniff;Webshell from CN Honker Pentest Toolset - file sni CN_Honker_Webshell_udf_udf;Webshell from CN Honker Pentest Toolset - file udf.php;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_JSP_jsp;Webshell from CN Honker Pentest Toolset - file jsp.html;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_T00ls_Lpk_Sethc_v4_mail;Webshell from CN Honker Pentest Toolset - file mail.php;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL -CN_Honker_Webshell_phpwebbackup;Webshell from CN Honker Pentest Toolset - file phpwebbackup.php;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,WEBSHELL +CN_Honker_Webshell_phpwebbackup;Webshell from CN Honker Pentest Toolset - file phpwebbackup.php;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL,FILE CN_Honker_Webshell_dz_phpcms_phpbb;Webshell from CN Honker Pentest Toolset - file dz_phpcms_phpbb.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_picloaked_1;Webshell from CN Honker Pentest Toolset - file 1.gif;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_assembly;Webshell from CN Honker Pentest Toolset - file assembly.asp;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL @@ -826,7 +827,7 @@ CN_Honker_Webshell_Serv_U_by_Goldsun;Webshell from CN Honker Pentest Toolset - f CN_Honker_Webshell_PHP_php10;Webshell from CN Honker Pentest Toolset - file php10.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_Serv_U_servu;Webshell from CN Honker Pentest Toolset - file servu.php;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_portRecall_jsp2;Webshell from CN Honker Pentest Toolset - file jsp2.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL -CN_Honker_Webshell_ASPX_aspx2;Webshell from CN Honker Pentest Toolset - file aspx2.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,WEBSHELL +CN_Honker_Webshell_ASPX_aspx2;Webshell from CN Honker Pentest Toolset - file aspx2.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL,FILE CN_Honker_Webshell_ASP_hy2006a;Webshell from CN Honker Pentest Toolset - file hy2006a.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_PHP_php1;Webshell from CN Honker Pentest Toolset - file php1.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_jspshell2;Webshell from CN Honker Pentest Toolset - file jspshell2.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL @@ -838,9 +839,9 @@ CN_Honker_Webshell_ASPX_shell_shell;Webshell from CN Honker Pentest Toolset - fi CN_Honker_Webshell__php1_php7_php9;Webshell from CN Honker Pentest Toolset - from files php1.txt, php7.txt, php9.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell__Serv_U_by_Goldsun_asp3_Serv_U_asp;Webshell from CN Honker Pentest Toolset - from files Serv-U_by_Goldsun.asp, asp3.txt, Serv-U asp.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell__asp4_asp4_MSSQL__MSSQL_;Webshell from CN Honker Pentest Toolset - from files asp4.txt, asp4.txt, MSSQL_.asp, MSSQL_.asp;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL -CN_Honker_Webshell__Injection_jmCook_jmPost_ManualInjection;Webshell from CN Honker Pentest Toolset - from files Injection.exe, jmCook.asp, jmPost.asp, ManualInjection.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;HKTL,WEBSHELL +CN_Honker_Webshell__Injection_jmCook_jmPost_ManualInjection;Webshell from CN Honker Pentest Toolset - from files Injection.exe, jmCook.asp, jmPost.asp, ManualInjection.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL,HKTL CN_Honker_Webshell_cmfshell;Webshell from CN Honker Pentest Toolset - file cmfshell.cmf;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL -CN_Honker_Webshell_PHP_php4;Webshell from CN Honker Pentest Toolset - file php4.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,WEBSHELL +CN_Honker_Webshell_PHP_php4;Webshell from CN Honker Pentest Toolset - file php4.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL,FILE CN_Honker_Webshell_Linux_2_6_Exploit;Webshell from CN Honker Pentest Toolset - file 2.6.9;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL,LINUX CN_Honker_Webshell_ASP_asp2;Webshell from CN Honker Pentest Toolset - file asp2.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_FTP_MYSQL_MSSQL_SSH;Webshell from CN Honker Pentest Toolset - file FTP MYSQL MSSQL SSH.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL @@ -852,30 +853,30 @@ CN_Honker_Webshell_Serv_U_serv_u;Webshell from CN Honker Pentest Toolset - file CN_Honker_Webshell_WebShell;Webshell from CN Honker Pentest Toolset - file WebShell.cgi;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_Tuoku_script_mssql_2;Webshell from CN Honker Pentest Toolset - file mssql.asp;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL CN_Honker_Webshell_ASP_asp1;Webshell from CN Honker Pentest Toolset - file asp1.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL -Nanocore_RAT_Gen_1;Detetcs the Nanocore RAT and similar malware;https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/;2016-04-22 00:00:00;70;Florian Roth;GEN,MAL,FILE,EXE -Nanocore_RAT_Gen_2;Detetcs the Nanocore RAT;https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/;2016-04-22 00:00:00;100;Florian Roth;GEN,MAL,FILE,EXE -Nanocore_RAT_Sample_1;Detetcs a certain Nanocore RAT sample;https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/;2016-04-22 00:00:00;75;Florian Roth;MAL,FILE,EXE -Nanocore_RAT_Sample_2;Detetcs a certain Nanocore RAT sample;https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/;2016-04-22 00:00:00;75;Florian Roth;MAL,FILE,EXE -Nanocore_RAT_Feb18_1;Detects Nanocore RAT;Internal Research - T2T;2018-02-19 00:00:00;70;Florian Roth;MAL,FILE,EXE -Nanocore_RAT_Feb18_2;Detects Nanocore RAT;Internal Research - T2T;2018-02-19 00:00:00;70;Florian Roth;MAL,FILE,EXE +Nanocore_RAT_Gen_1;Detetcs the Nanocore RAT and similar malware;https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/;2016-04-22 00:00:00;70;Florian Roth;MAL,EXE,GEN,FILE +Nanocore_RAT_Gen_2;Detetcs the Nanocore RAT;https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/;2016-04-22 00:00:00;100;Florian Roth;MAL,EXE,GEN,FILE +Nanocore_RAT_Sample_1;Detetcs a certain Nanocore RAT sample;https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/;2016-04-22 00:00:00;75;Florian Roth;MAL,EXE,FILE +Nanocore_RAT_Sample_2;Detetcs a certain Nanocore RAT sample;https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/;2016-04-22 00:00:00;75;Florian Roth;MAL,EXE,FILE +Nanocore_RAT_Feb18_1;Detects Nanocore RAT;Internal Research - T2T;2018-02-19 00:00:00;70;Florian Roth;MAL,EXE,FILE +Nanocore_RAT_Feb18_2;Detects Nanocore RAT;Internal Research - T2T;2018-02-19 00:00:00;70;Florian Roth;MAL,EXE,FILE CoinMiner_Strings;Detects mining pool protocol string in Executable;https://minergate.com/faq/what-pool-address;2018-01-04 00:00:00;50;Florian Roth; CoinHive_Javascript_MoneroMiner;Detects CoinHive - JavaScript Crypto Miner;https://coinhive.com/documentation/miner;2018-01-04 00:00:00;50;Florian Roth; PUA_CryptoMiner_Jan19_1;Detects Crypto Miner strings;Internal Research;2019-01-31 00:00:00;70;Florian Roth; -Winnti_signing_cert;Detects a signing certificate used by the Winnti APT group;https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/;2015-10-10 00:00:00;75;Florian Roth;CHINA,APT,FILE,EXE -Winnti_malware_Nsiproxy;Detects a Winnti rootkit;-;2015-10-10 00:00:00;75;Florian Roth;CHINA,FILE,EXE -Winnti_malware_UpdateDLL;Detects a Winnti malware - Update.dll;VTI research;2015-10-10 00:00:00;75;Florian Roth;CHINA,FILE,EXE -Winnti_malware_FWPK;Detects a Winnti malware - FWPKCLNT.SYS;VTI research;2015-10-10 00:00:00;75;Florian Roth;CHINA,FILE,EXE -Winnti_malware_StreamPortal_Gen;Detects a Winnti malware - Streamportal;VTI research;2015-10-10 00:00:00;75;Florian Roth;CHINA,FILE,EXE -WINNTI_KingSoft_Moz_Confustion;Detects Barium sample with Copyright confusion;https://www.virustotal.com/en/file/070ee4a40852b26ec0cfd79e32176287a6b9d2b15e377281d8414550a83f6496/analysis/;2018-04-13 00:00:00;70;Markus Neis;FILE,EXE -SUSP_LNK_lnkfileoverRFC;detect APT lnk files that run double extraction and launch routines with autoruns;-;2018-09-18 00:00:00;70;@Grotezinfosec, modified by Florian Roth;FILE,APT +Winnti_signing_cert;Detects a signing certificate used by the Winnti APT group;https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/;2015-10-10 00:00:00;75;Florian Roth;EXE,APT,CHINA,FILE +Winnti_malware_Nsiproxy;Detects a Winnti rootkit;-;2015-10-10 00:00:00;75;Florian Roth;EXE,CHINA,FILE +Winnti_malware_UpdateDLL;Detects a Winnti malware - Update.dll;VTI research;2015-10-10 00:00:00;75;Florian Roth;EXE,CHINA,FILE +Winnti_malware_FWPK;Detects a Winnti malware - FWPKCLNT.SYS;VTI research;2015-10-10 00:00:00;75;Florian Roth;EXE,CHINA,FILE +Winnti_malware_StreamPortal_Gen;Detects a Winnti malware - Streamportal;VTI research;2015-10-10 00:00:00;75;Florian Roth;EXE,CHINA,FILE +WINNTI_KingSoft_Moz_Confustion;Detects Barium sample with Copyright confusion;https://www.virustotal.com/en/file/070ee4a40852b26ec0cfd79e32176287a6b9d2b15e377281d8414550a83f6496/analysis/;2018-04-13 00:00:00;70;Markus Neis;EXE,FILE +SUSP_LNK_lnkfileoverRFC;detect APT lnk files that run double extraction and launch routines with autoruns;-;2018-09-18 00:00:00;70;@Grotezinfosec, modified by Florian Roth;APT,FILE SUSP_LNK_SuspiciousCommands;Detects LNK file with suspicious content;-;2018-09-18 00:00:00;60;Florian Roth;FILE -SeaDuke_Sample;SeaDuke Malware - file 3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d;http://goo.gl/MJ0c2M;2015-07-14 00:00:00;70;Florian Roth;RUSSIA,MAL,FILE,EXE -APT28_CHOPSTICK;Detects a malware that behaves like CHOPSTICK mentioned in APT28 report;https://goo.gl/v3ebal;2015-06-02 00:00:00;60;Florian Roth;RUSSIA,APT,FILE,EXE -APT28_SourFace_Malware1;Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.;https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html;2015-06-01 00:00:00;60;Florian Roth;APT,EXE,FILE,RUSSIA,MAL -APT28_SourFace_Malware2;Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.;https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html;2015-06-01 00:00:00;60;Florian Roth;APT,EXE,FILE,RUSSIA,MAL -APT28_SourFace_Malware3;Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.;https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html;2015-06-01 00:00:00;60;Florian Roth;APT,EXE,FILE,RUSSIA,MAL -BadRabbit_Gen;Detects BadRabbit Ransomware;https://pastebin.com/Y7pJv3tK;2017-10-25 00:00:00;70;Florian Roth;EXE,RANSOM,CRIME,FILE,MAL -BadRabbit_Mimikatz_Comp;Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035;https://pastebin.com/Y7pJv3tK;2017-10-25 00:00:00;70;Florian Roth;FILE,EXE +SeaDuke_Sample;SeaDuke Malware - file 3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d;http://goo.gl/MJ0c2M;2015-07-14 00:00:00;70;Florian Roth;MAL,EXE,RUSSIA,FILE +APT28_CHOPSTICK;Detects a malware that behaves like CHOPSTICK mentioned in APT28 report;https://goo.gl/v3ebal;2015-06-02 00:00:00;60;Florian Roth;EXE,APT,RUSSIA,FILE +APT28_SourFace_Malware1;Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.;https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html;2015-06-01 00:00:00;60;Florian Roth;EXE,RUSSIA,MAL,APT,FILE +APT28_SourFace_Malware2;Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.;https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html;2015-06-01 00:00:00;60;Florian Roth;EXE,RUSSIA,MAL,APT,FILE +APT28_SourFace_Malware3;Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.;https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html;2015-06-01 00:00:00;60;Florian Roth;EXE,RUSSIA,MAL,APT,FILE +BadRabbit_Gen;Detects BadRabbit Ransomware;https://pastebin.com/Y7pJv3tK;2017-10-25 00:00:00;70;Florian Roth;EXE,RANSOM,MAL,CRIME,FILE +BadRabbit_Mimikatz_Comp;Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035;https://pastebin.com/Y7pJv3tK;2017-10-25 00:00:00;70;Florian Roth;EXE,FILE WindowsCredentialEditor;Windows Credential Editor;-;1970-01-01 01:00:00;90;-;HKTL Amplia_Security_Tool;Amplia Security Tool;-;1970-01-01 01:00:00;60;-;HKTL PwDump;PwDump 6 variant;-;2014-04-24 00:00:00;70;Marc Stroebel;HKTL @@ -908,7 +909,7 @@ crack_Loader;Auto-generated rule on file Loader.exe;-;1970-01-01 01:00:00;70;yar CN_GUI_Scanner;Detects an unknown GUI scanner tool - CN background;-;2014-04-10 00:00:00;65;Florian Roth;HKTL CN_Packed_Scanner;Suspiciously packed executable;-;2014-06-10 00:00:00;40;Florian Roth;HKTL Tiny_Network_Tool_Generic;Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples);-;2014-08-10 00:00:00;40;Florian Roth;HKTL -Beastdoor_Backdoor;Detects the backdoor Beastdoor;-;1970-01-01 01:00:00;55;Florian Roth;HKTL,MAL +Beastdoor_Backdoor;Detects the backdoor Beastdoor;-;1970-01-01 01:00:00;55;Florian Roth;MAL,HKTL Powershell_Netcat;Detects a Powershell version of the Netcat network hacking tool;-;2014-10-10 00:00:00;60;Florian Roth;HKTL Chinese_Hacktool_1014;Detects a chinese hacktool with unknown use;-;2014-10-10 00:00:00;60;Florian Roth;HKTL CN_Hacktool_BAT_PortsOpen;Detects a chinese BAT hacktool for local port evaluation;-;2014-12-10 00:00:00;60;Florian Roth;HKTL @@ -926,32 +927,32 @@ iKAT_revelations;iKAT hack tool showing the content of password fields - file re iKAT_priv_esc_tasksch;Task Schedulder Local Exploit - Windows local priv-esc using Task Scheduler, published by webDevil. Supports Windows 7 and Vista.;http://ikat.ha.cked.net/Windows/functions/ikatfiles.html;2014-05-11 00:00:00;75;Florian Roth;HKTL iKAT_command_lines_agent;iKAT hack tools set agent - file ikat.exe;http://ikat.ha.cked.net/Windows/functions/ikatfiles.html;2014-05-11 00:00:00;75;Florian Roth;HKTL iKAT_cmd_as_dll;iKAT toolset file cmd.dll ReactOS file cloaked;http://ikat.ha.cked.net/Windows/functions/ikatfiles.html;2014-05-11 00:00:00;65;Florian Roth;HKTL -iKAT_tools_nmap;Generic rule for NMAP - based on NMAP 4 standalone;http://ikat.ha.cked.net/Windows/functions/ikatfiles.html;2014-05-11 00:00:00;50;Florian Roth;HKTL,GEN +iKAT_tools_nmap;Generic rule for NMAP - based on NMAP 4 standalone;http://ikat.ha.cked.net/Windows/functions/ikatfiles.html;2014-05-11 00:00:00;50;Florian Roth;GEN,HKTL iKAT_startbar;Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe;http://ikat.ha.cked.net/Windows/functions/ikatfiles.html;2014-05-11 00:00:00;50;Florian Roth;HKTL -iKAT_Tool_Generic;Generic Rule for hack tool iKAT files gpdisable.exe, kitrap0d.exe, uacpoc.exe;http://ikat.ha.cked.net/Windows/functions/ikatfiles.html;2014-05-11 00:00:00;55;Florian Roth;HKTL,GEN +iKAT_Tool_Generic;Generic Rule for hack tool iKAT files gpdisable.exe, kitrap0d.exe, uacpoc.exe;http://ikat.ha.cked.net/Windows/functions/ikatfiles.html;2014-05-11 00:00:00;55;Florian Roth;GEN,HKTL BypassUac2;Auto-generated rule - file BypassUac2.zip;-;1970-01-01 01:00:00;70;yarGen Yara Rule Generator;HKTL BypassUac_3;Auto-generated rule - file BypassUacDll.dll;-;1970-01-01 01:00:00;70;yarGen Yara Rule Generator;HKTL BypassUac_9;Auto-generated rule - file BypassUac.zip;-;1970-01-01 01:00:00;70;yarGen Yara Rule Generator;HKTL BypassUacDll_6;Auto-generated rule - file BypassUacDll.aps;-;1970-01-01 01:00:00;70;yarGen Yara Rule Generator;HKTL BypassUac_EXE;Auto-generated rule - file BypassUacDll.aps;-;1970-01-01 01:00:00;70;yarGen Yara Rule Generator;HKTL -APT_Proxy_Malware_Packed_dev;APT Malware - Proxy;-;2014-11-10 00:00:00;50;FRoth;HKTL,MAL,APT +APT_Proxy_Malware_Packed_dev;APT Malware - Proxy;-;2014-11-10 00:00:00;50;FRoth;MAL,APT,HKTL Tzddos_DDoS_Tool_CN;Disclosed hacktool set - file tzddos;-;2014-11-17 00:00:00;60;Florian Roth;HKTL Ncat_Hacktools_CN;Disclosed hacktool set - file nc.exe;-;2014-11-17 00:00:00;60;Florian Roth;HKTL MS08_067_Exploit_Hacktools_CN;Disclosed hacktool set - file cs.exe;-;2014-11-17 00:00:00;60;Florian Roth;HKTL Hacktools_CN_Burst_sql;Disclosed hacktool set - file sql.exe;-;2014-11-17 00:00:00;60;Florian Roth;HKTL -Hacktools_CN_Panda_445TOOL;Disclosed hacktool set - file 445TOOL.rar;-;2014-11-17 00:00:00;60;Florian Roth;HKTL,CHINA -Hacktools_CN_Panda_445;Disclosed hacktool set - file 445.rar;-;2014-11-17 00:00:00;60;Florian Roth;HKTL,CHINA +Hacktools_CN_Panda_445TOOL;Disclosed hacktool set - file 445TOOL.rar;-;2014-11-17 00:00:00;60;Florian Roth;CHINA,HKTL +Hacktools_CN_Panda_445;Disclosed hacktool set - file 445.rar;-;2014-11-17 00:00:00;60;Florian Roth;CHINA,HKTL Hacktools_CN_WinEggDrop;Disclosed hacktool set - file s.exe;-;2014-11-17 00:00:00;60;Florian Roth;HKTL Hacktools_CN_Scan_BAT;Disclosed hacktool set - file scan.bat;-;2014-11-17 00:00:00;60;Florian Roth;HKTL -Hacktools_CN_Panda_Burst;Disclosed hacktool set - file Burst.rar;-;2014-11-17 00:00:00;60;Florian Roth;HKTL,CHINA +Hacktools_CN_Panda_Burst;Disclosed hacktool set - file Burst.rar;-;2014-11-17 00:00:00;60;Florian Roth;CHINA,HKTL Hacktools_CN_445_cmd;Disclosed hacktool set - file cmd.bat;-;2014-11-17 00:00:00;60;Florian Roth;HKTL Hacktools_CN_GOGOGO_Bat;Disclosed hacktool set - file GOGOGO.bat;-;2014-11-17 00:00:00;60;Florian Roth;HKTL Hacktools_CN_Burst_pass;Disclosed hacktool set - file pass.txt;-;2014-11-17 00:00:00;60;Florian Roth;HKTL Hacktools_CN_JoHor_Posts_Killer;Disclosed hacktool set - file JoHor_Posts_Killer.exe;-;2014-11-17 00:00:00;60;Florian Roth;HKTL -Hacktools_CN_Panda_tesksd;Disclosed hacktool set - file tesksd.jpg;-;2014-11-17 00:00:00;60;Florian Roth;HKTL,CHINA +Hacktools_CN_Panda_tesksd;Disclosed hacktool set - file tesksd.jpg;-;2014-11-17 00:00:00;60;Florian Roth;CHINA,HKTL Hacktools_CN_Http;Disclosed hacktool set - file Http.exe;-;2014-11-17 00:00:00;60;Florian Roth;HKTL Hacktools_CN_Burst_Start;Disclosed hacktool set - file Start.bat - DoS tool;-;2014-11-17 00:00:00;60;Florian Roth;HKTL -Hacktools_CN_Panda_tasksvr;Disclosed hacktool set - file tasksvr.exe;-;2014-11-17 00:00:00;60;Florian Roth;HKTL,CHINA +Hacktools_CN_Panda_tasksvr;Disclosed hacktool set - file tasksvr.exe;-;2014-11-17 00:00:00;60;Florian Roth;CHINA,HKTL Hacktools_CN_Burst_Clear;Disclosed hacktool set - file Clear.bat;-;2014-11-17 00:00:00;60;Florian Roth;HKTL Hacktools_CN_Burst_Thecard;Disclosed hacktool set - file Thecard.bat;-;2014-11-17 00:00:00;60;Florian Roth;HKTL Hacktools_CN_Burst_Blast;Disclosed hacktool set - file Blast.bat;-;2014-11-17 00:00:00;60;Florian Roth;HKTL @@ -971,7 +972,7 @@ sig_238_TELNET;Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows snifferport;Disclosed hacktool set (old stuff) - file snifferport.exe;-;2014-11-23 00:00:00;60;Florian Roth;HKTL sig_238_webget;Disclosed hacktool set (old stuff) - file webget.exe;-;2014-11-23 00:00:00;60;Florian Roth;HKTL XYZCmd_zip_Folder_XYZCmd;Disclosed hacktool set (old stuff) - file XYZCmd.exe;-;2014-11-23 00:00:00;60;Florian Roth;HKTL -ASPack_Chinese;Disclosed hacktool set (old stuff) - file ASPack Chinese.ini;-;2014-11-23 00:00:00;60;Florian Roth;HKTL,CHINA +ASPack_Chinese;Disclosed hacktool set (old stuff) - file ASPack Chinese.ini;-;2014-11-23 00:00:00;60;Florian Roth;CHINA,HKTL aspbackdoor_EDIR;Disclosed hacktool set (old stuff) - file EDIR.ASP;-;2014-11-23 00:00:00;60;Florian Roth;HKTL ByPassFireWall_zip_Folder_Ie;Disclosed hacktool set (old stuff) - file Ie.dll;-;2014-11-23 00:00:00;60;Florian Roth;HKTL EditKeyLogReadMe;Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt;-;2014-11-23 00:00:00;60;Florian Roth;HKTL @@ -1022,78 +1023,78 @@ sig_238_xsniff;Disclosed hacktool set (old stuff) - file xsniff.exe;-;2014-11-23 sig_238_fscan;Disclosed hacktool set (old stuff) - file fscan.exe;-;2014-11-23 00:00:00;60;Florian Roth;HKTL _iissample_nesscan_twwwscan;Disclosed hacktool set (old stuff) - from files iissample.exe, nesscan.exe, twwwscan.exe;-;2014-11-23 00:00:00;60;Florian Roth;HKTL _FsHttp_FsPop_FsSniffer;Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe;-;2014-11-23 00:00:00;60;Florian Roth;HKTL -Ammyy_Admin_AA_v3;Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe;http://goo.gl/gkAg2E;2014-12-22 00:00:00;55;Florian Roth;HKTL,APT -LinuxHacktool_eyes_scanssh;Linux hack tools - file scanssh;not set;2015-01-19 00:00:00;70;Florian Roth;HKTL,LINUX -LinuxHacktool_eyes_pscan2;Linux hack tools - file pscan2;not set;2015-01-19 00:00:00;70;Florian Roth;HKTL,LINUX -LinuxHacktool_eyes_a;Linux hack tools - file a;not set;2015-01-19 00:00:00;70;Florian Roth;HKTL,LINUX -LinuxHacktool_eyes_mass;Linux hack tools - file mass;not set;2015-01-19 00:00:00;70;Florian Roth;HKTL,LINUX -LinuxHacktool_eyes_pscan2_2;Linux hack tools - file pscan2.c;not set;2015-01-19 00:00:00;70;Florian Roth;HKTL,LINUX +Ammyy_Admin_AA_v3;Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe;http://goo.gl/gkAg2E;2014-12-22 00:00:00;55;Florian Roth;APT,HKTL +LinuxHacktool_eyes_scanssh;Linux hack tools - file scanssh;not set;2015-01-19 00:00:00;70;Florian Roth;LINUX,HKTL +LinuxHacktool_eyes_pscan2;Linux hack tools - file pscan2;not set;2015-01-19 00:00:00;70;Florian Roth;LINUX,HKTL +LinuxHacktool_eyes_a;Linux hack tools - file a;not set;2015-01-19 00:00:00;70;Florian Roth;LINUX,HKTL +LinuxHacktool_eyes_mass;Linux hack tools - file mass;not set;2015-01-19 00:00:00;70;Florian Roth;LINUX,HKTL +LinuxHacktool_eyes_pscan2_2;Linux hack tools - file pscan2.c;not set;2015-01-19 00:00:00;70;Florian Roth;LINUX,HKTL CN_Portscan;CN Port Scanner;-;1970-01-01 01:00:00;70;Florian Roth;HKTL,FILE -WMI_vbs;WMI Tool - APT;-;1970-01-01 01:00:00;70;Florian Roth;HKTL,APT -CN_Toolset__XScanLib_XScanLib_XScanLib;Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll;http://qiannao.com/ls/905300366/33834c0c/;2015-03-30 00:00:00;70;Florian Roth;HKTL,CHINA -CN_Toolset_NTscan_PipeCmd;Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe;http://qiannao.com/ls/905300366/33834c0c/;2015-03-30 00:00:00;70;Florian Roth;HKTL,CHINA -CN_Toolset_LScanPortss_2;Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe;http://qiannao.com/ls/905300366/33834c0c/;2015-03-30 00:00:00;70;Florian Roth;HKTL,CHINA -CN_Toolset_sig_1433_135_sqlr;Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe;http://qiannao.com/ls/905300366/33834c0c/;2015-03-30 00:00:00;70;Florian Roth;HKTL,CHINA -DarkComet_Keylogger_File;Looks like a keylogger file created by DarkComet Malware;-;2014-07-25 00:00:00;50;Florian Roth;HKTL,MAL,FILE +WMI_vbs;WMI Tool - APT;-;1970-01-01 01:00:00;70;Florian Roth;APT,HKTL +CN_Toolset__XScanLib_XScanLib_XScanLib;Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll;http://qiannao.com/ls/905300366/33834c0c/;2015-03-30 00:00:00;70;Florian Roth;CHINA,HKTL +CN_Toolset_NTscan_PipeCmd;Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe;http://qiannao.com/ls/905300366/33834c0c/;2015-03-30 00:00:00;70;Florian Roth;CHINA,HKTL +CN_Toolset_LScanPortss_2;Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe;http://qiannao.com/ls/905300366/33834c0c/;2015-03-30 00:00:00;70;Florian Roth;CHINA,HKTL +CN_Toolset_sig_1433_135_sqlr;Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe;http://qiannao.com/ls/905300366/33834c0c/;2015-03-30 00:00:00;70;Florian Roth;CHINA,HKTL +DarkComet_Keylogger_File;Looks like a keylogger file created by DarkComet Malware;-;2014-07-25 00:00:00;50;Florian Roth;MAL,HKTL,FILE Mimikatz_Memory_Rule_1;Detects password dumper mimikatz in memory;-;2014-12-22 00:00:00;70;Florian Roth;HKTL Mimikatz_Memory_Rule_2;Mimikatz Rule generated from a memory dump;-;1970-01-01 01:00:00;80;Florian Roth - Florian Roth;HKTL mimikatz;mimikatz;-;1970-01-01 01:00:00;70;Benjamin DELPY (gentilkiwi);HKTL wce;wce;-;1970-01-01 01:00:00;70;Benjamin DELPY (gentilkiwi);HKTL -power_pe_injection;PowerShell with PE Reflective Injection;-;1970-01-01 01:00:00;70;Benjamin DELPY (gentilkiwi);HKTL,SCRIPT +power_pe_injection;PowerShell with PE Reflective Injection;-;1970-01-01 01:00:00;70;Benjamin DELPY (gentilkiwi);SCRIPT,HKTL Mimikatz_Logfile;Detects a log file generated by malicious hack tool mimikatz;-;2015-03-31 00:00:00;80;Florian Roth;HKTL -Mimikatz_Strings;Detects Mimikatz strings;not set;2016-06-08 00:00:00;65;Florian Roth;HKTL,FILE,EXE -AppInitHook;AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll;https://goo.gl/Z292v6;2015-07-15 00:00:00;70;Florian Roth;HKTL,FILE,EXE +Mimikatz_Strings;Detects Mimikatz strings;not set;2016-06-08 00:00:00;65;Florian Roth;EXE,HKTL,FILE +AppInitHook;AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll;https://goo.gl/Z292v6;2015-07-15 00:00:00;70;Florian Roth;EXE,HKTL,FILE VSSown_VBS;Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere;-;2015-10-01 00:00:00;75;Florian Roth;HKTL -Netview_Hacktool;Network domain enumeration tool - often used by attackers - file Nv.exe;https://github.com/mubix/netview;2016-03-07 00:00:00;60;Florian Roth;HKTL,FILE,EXE +Netview_Hacktool;Network domain enumeration tool - often used by attackers - file Nv.exe;https://github.com/mubix/netview;2016-03-07 00:00:00;60;Florian Roth;EXE,HKTL,FILE Netview_Hacktool_Output;Network domain enumeration tool output - often used by attackers - file filename.txt;https://github.com/mubix/netview;2016-03-07 00:00:00;60;Florian Roth;HKTL -PSAttack_EXE;PSAttack - Powershell attack tool - file PSAttack.exe;https://github.com/gdssecurity/PSAttack/releases/;2016-03-09 00:00:00;100;Florian Roth;HKTL,FILE,EXE +PSAttack_EXE;PSAttack - Powershell attack tool - file PSAttack.exe;https://github.com/gdssecurity/PSAttack/releases/;2016-03-09 00:00:00;100;Florian Roth;EXE,HKTL,FILE Powershell_Attack_Scripts;Powershell Attack Scripts;-;2016-03-09 00:00:00;70;Florian Roth;HKTL PSAttack_ZIP;PSAttack - Powershell attack tool - file PSAttack.zip;https://github.com/gdssecurity/PSAttack/releases/;2016-03-09 00:00:00;100;Florian Roth;HKTL,FILE -Linux_Portscan_Shark_1;Detects Linux Port Scanner Shark;Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35;2016-04-01 00:00:00;70;Florian Roth;HKTL,FILE,LINUX -Linux_Portscan_Shark_2;Detects Linux Port Scanner Shark;Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35;2016-04-01 00:00:00;70;Florian Roth;HKTL,LINUX -dnscat2_Hacktool;Detects dnscat2 - from files dnscat, dnscat2.exe;https://downloads.skullsecurity.org/dnscat2/;2016-05-15 00:00:00;70;Florian Roth;HKTL,FILE,EXE +Linux_Portscan_Shark_1;Detects Linux Port Scanner Shark;Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35;2016-04-01 00:00:00;70;Florian Roth;LINUX,HKTL,FILE +Linux_Portscan_Shark_2;Detects Linux Port Scanner Shark;Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35;2016-04-01 00:00:00;70;Florian Roth;LINUX,HKTL +dnscat2_Hacktool;Detects dnscat2 - from files dnscat, dnscat2.exe;https://downloads.skullsecurity.org/dnscat2/;2016-05-15 00:00:00;70;Florian Roth;EXE,HKTL,FILE WCE_in_memory;Detects Windows Credential Editor (WCE) in memory (and also on disk);Internal Research;2016-08-28 00:00:00;80;Florian Roth;HKTL -pstgdump;Detects a tool used by APT groups - file pstgdump.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;HKTL,APT,FILE,EXE -lsremora;Detects a tool used by APT groups;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;HKTL,APT,FILE,EXE -servpw;Detects a tool used by APT groups - file servpw.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;HKTL,APT,FILE,EXE -fgexec;Detects a tool used by APT groups - file fgexec.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;HKTL,APT,FILE,EXE -cachedump;Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;HKTL,APT,FILE,EXE -PwDump_B;Detects a tool used by APT groups - file PwDump.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;HKTL,APT,FILE,EXE +pstgdump;Detects a tool used by APT groups - file pstgdump.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;EXE,APT,HKTL,FILE +lsremora;Detects a tool used by APT groups;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;EXE,APT,HKTL,FILE +servpw;Detects a tool used by APT groups - file servpw.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;EXE,APT,HKTL,FILE +fgexec;Detects a tool used by APT groups - file fgexec.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;EXE,APT,HKTL,FILE +cachedump;Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;EXE,APT,HKTL,FILE +PwDump_B;Detects a tool used by APT groups - file PwDump.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;EXE,APT,HKTL,FILE MSBuild_Mimikatz_Execution_via_XML;Detects an XML that executes Mimikatz on an endpoint via MSBuild;https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml;2016-10-07 00:00:00;70;Florian Roth;HKTL Fscan_Portscanner;Fscan port scanner scan output / strings;https://twitter.com/JamesHabben/status/817112447970480128;2017-01-06 00:00:00;70;Florian Roth;HKTL -WPR_loader_EXE;Windows Password Recovery - file loader.exe;Internal Research;2017-03-15 00:00:00;70;Florian Roth;HKTL,FILE,EXE -WPR_loader_DLL;Windows Password Recovery - file loader64.dll;Internal Research;2017-03-15 00:00:00;70;Florian Roth;HKTL,FILE,EXE -WPR_Passscape_Loader;Windows Password Recovery - file ast.exe;Internal Research;2017-03-15 00:00:00;70;Florian Roth;HKTL,FILE,EXE -WPR_Asterisk_Hook_Library;Windows Password Recovery - file ast64.dll;Internal Research;2017-03-15 00:00:00;70;Florian Roth;HKTL,FILE,EXE -WPR_WindowsPasswordRecovery_EXE;Windows Password Recovery - file wpr.exe;Internal Research;2017-03-15 00:00:00;70;Florian Roth;HKTL,FILE,EXE -WPR_WindowsPasswordRecovery_EXE_64;Windows Password Recovery - file ast64.exe;Internal Research;2017-03-15 00:00:00;70;Florian Roth;HKTL,FILE,EXE -BeyondExec_RemoteAccess_Tool;Detects BeyondExec Remote Access Tool - file rexesvr.exe;https://goo.gl/BvYurS;2017-03-17 00:00:00;70;Florian Roth;HKTL,FILE,EXE -Mimikatz_Gen_Strings;Detects Mimikatz by using some special strings;Internal Research;2017-06-19 00:00:00;70;Florian Roth;HKTL,GEN,FILE,EXE -Disclosed_0day_POCs_lpe;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;HKTL,FILE,EXE,EXPLOIT -Disclosed_0day_POCs_exploit;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;HKTL,FILE,EXE,EXPLOIT -Disclosed_0day_POCs_InjectDll;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;HKTL,FILE,EXE,EXPLOIT -Disclosed_0day_POCs_payload_MSI;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;HKTL,FILE,EXPLOIT -Disclosed_0day_POCs_injector;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;HKTL,FILE,EXE,EXPLOIT -Disclosed_0day_POCs_lpe_2;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;HKTL,FILE,EXE,EXPLOIT -Disclosed_0day_POCs_shellcodegenerator;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;HKTL,FILE,EXE,EXPLOIT -SecurityXploded_Producer_String;Detects hacktools by SecurityXploded;http://securityxploded.com/browser-password-dump.php;2017-07-13 00:00:00;60;Florian Roth;HKTL,FILE,EXE -Kekeo_Hacktool;Detects Kekeo Hacktool;https://github.com/gentilkiwi/kekeo/releases;2017-07-21 00:00:00;70;Florian Roth;HKTL,FILE,EXE -AllTheThings;Detects AllTheThings;https://github.com/subTee/AllTheThings;2017-07-27 00:00:00;70;Florian Roth;HKTL,FILE,EXE -Impacket_Keyword;Detects Impacket Keyword in Executable;Internal Research;2017-08-04 00:00:00;60;Florian Roth;HKTL,FILE,EXE -PasswordsPro;Auto-generated rule - file PasswordsPro.exe;PasswordPro;2017-08-27 00:00:00;70;Florian Roth;HKTL,FILE,EXE -PasswordPro_NTLM_DLL;Auto-generated rule - file NTLM.dll;PasswordPro;2017-08-27 00:00:00;70;Florian Roth;HKTL,FILE,EXE +WPR_loader_EXE;Windows Password Recovery - file loader.exe;Internal Research;2017-03-15 00:00:00;70;Florian Roth;EXE,HKTL,FILE +WPR_loader_DLL;Windows Password Recovery - file loader64.dll;Internal Research;2017-03-15 00:00:00;70;Florian Roth;EXE,HKTL,FILE +WPR_Passscape_Loader;Windows Password Recovery - file ast.exe;Internal Research;2017-03-15 00:00:00;70;Florian Roth;EXE,HKTL,FILE +WPR_Asterisk_Hook_Library;Windows Password Recovery - file ast64.dll;Internal Research;2017-03-15 00:00:00;70;Florian Roth;EXE,HKTL,FILE +WPR_WindowsPasswordRecovery_EXE;Windows Password Recovery - file wpr.exe;Internal Research;2017-03-15 00:00:00;70;Florian Roth;EXE,HKTL,FILE +WPR_WindowsPasswordRecovery_EXE_64;Windows Password Recovery - file ast64.exe;Internal Research;2017-03-15 00:00:00;70;Florian Roth;EXE,HKTL,FILE +BeyondExec_RemoteAccess_Tool;Detects BeyondExec Remote Access Tool - file rexesvr.exe;https://goo.gl/BvYurS;2017-03-17 00:00:00;70;Florian Roth;EXE,HKTL,FILE +Mimikatz_Gen_Strings;Detects Mimikatz by using some special strings;Internal Research;2017-06-19 00:00:00;70;Florian Roth;GEN,EXE,HKTL,FILE +Disclosed_0day_POCs_lpe;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;EXE,EXPLOIT,HKTL,FILE +Disclosed_0day_POCs_exploit;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;EXE,EXPLOIT,HKTL,FILE +Disclosed_0day_POCs_InjectDll;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;EXE,EXPLOIT,HKTL,FILE +Disclosed_0day_POCs_payload_MSI;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;EXPLOIT,HKTL,FILE +Disclosed_0day_POCs_injector;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;EXE,EXPLOIT,HKTL,FILE +Disclosed_0day_POCs_lpe_2;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;EXE,EXPLOIT,HKTL,FILE +Disclosed_0day_POCs_shellcodegenerator;Detects POC code from disclosed 0day hacktool set;Disclosed 0day Repos;2017-07-07 00:00:00;70;Florian Roth;EXE,EXPLOIT,HKTL,FILE +SecurityXploded_Producer_String;Detects hacktools by SecurityXploded;http://securityxploded.com/browser-password-dump.php;2017-07-13 00:00:00;60;Florian Roth;EXE,HKTL,FILE +Kekeo_Hacktool;Detects Kekeo Hacktool;https://github.com/gentilkiwi/kekeo/releases;2017-07-21 00:00:00;70;Florian Roth;EXE,HKTL,FILE +AllTheThings;Detects AllTheThings;https://github.com/subTee/AllTheThings;2017-07-27 00:00:00;70;Florian Roth;EXE,HKTL,FILE +Impacket_Keyword;Detects Impacket Keyword in Executable;Internal Research;2017-08-04 00:00:00;60;Florian Roth;EXE,HKTL,FILE +PasswordsPro;Auto-generated rule - file PasswordsPro.exe;PasswordPro;2017-08-27 00:00:00;70;Florian Roth;EXE,HKTL,FILE +PasswordPro_NTLM_DLL;Auto-generated rule - file NTLM.dll;PasswordPro;2017-08-27 00:00:00;70;Florian Roth;EXE,HKTL,FILE KeeThief_PS;Detects component of KeeTheft - KeePass dump tool - file KeeThief.ps1;https://github.com/HarmJ0y/KeeThief;2017-08-29 00:00:00;70;Florian Roth;HKTL,FILE -KeeTheft_EXE;Detects component of KeeTheft - KeePass dump tool - file KeeTheft.exe;https://github.com/HarmJ0y/KeeThief;2017-08-29 00:00:00;70;Florian Roth;HKTL,FILE,EXE +KeeTheft_EXE;Detects component of KeeTheft - KeePass dump tool - file KeeTheft.exe;https://github.com/HarmJ0y/KeeThief;2017-08-29 00:00:00;70;Florian Roth;EXE,HKTL,FILE KeeTheft_Out_Shellcode;Detects component of KeeTheft - KeePass dump tool - file Out-Shellcode.ps1;https://github.com/HarmJ0y/KeeThief;2017-08-29 00:00:00;70;Florian Roth;HKTL -Sharpire;Auto-generated rule - file Sharpire.exe;https://github.com/0xbadjuju/Sharpire;2017-09-23 00:00:00;70;Florian Roth;HKTL,FILE,EXE -Invoke_Metasploit;Detects Invoke-Metasploit Payload;https://github.com/jaredhaight/Invoke-MetasploitPayload/blob/master/Invoke-MetasploitPayload.ps1;2017-09-23 00:00:00;70;Florian Roth;HKTL,METASPLOIT -PowerShell_Mal_HackTool_Gen;Detects PowerShell hack tool samples - generic PE loader;Internal Research;2017-11-02 00:00:00;70;Florian Roth;HKTL,SCRIPT -Sig_RemoteAdmin_1;Detects strings from well-known APT malware;Internal Research;2017-12-03 00:00:00;45;Florian Roth;HKTL,APT,FILE,EXE +Sharpire;Auto-generated rule - file Sharpire.exe;https://github.com/0xbadjuju/Sharpire;2017-09-23 00:00:00;70;Florian Roth;EXE,HKTL,FILE +Invoke_Metasploit;Detects Invoke-Metasploit Payload;https://github.com/jaredhaight/Invoke-MetasploitPayload/blob/master/Invoke-MetasploitPayload.ps1;2017-09-23 00:00:00;70;Florian Roth;METASPLOIT,HKTL +PowerShell_Mal_HackTool_Gen;Detects PowerShell hack tool samples - generic PE loader;Internal Research;2017-11-02 00:00:00;70;Florian Roth;SCRIPT,HKTL +Sig_RemoteAdmin_1;Detects strings from well-known APT malware;Internal Research;2017-12-03 00:00:00;45;Florian Roth;EXE,APT,HKTL,FILE RemCom_RemoteCommandExecution;Detects strings from RemCom tool;https://goo.gl/tezXZt;2017-12-28 00:00:00;55;Florian Roth;HKTL -Crackmapexec_EXE;Detects CrackMapExec hack tool;Internal Research;2018-04-06 00:00:00;85;Florian Roth;HKTL,FILE,EXE -SUSP_Imphash_PassRevealer_PY_EXE;Detects an imphash used by password revealer and hack tools;Internal Research;2018-04-06 00:00:00;40;Florian Roth;HKTL,FILE,EXE -MAL_Unknown_PWDumper_Apr18_3;Detects sample from unknown sample set - IL origin;Internal Research;2018-04-06 00:00:00;70;Florian Roth;HKTL,FILE,EXE -ProcessInjector_Gen;Detects a process injection utility that can be used ofr good and bad purposes;https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c;2018-04-23 00:00:00;60;Florian Roth;HKTL,FILE,EXE +Crackmapexec_EXE;Detects CrackMapExec hack tool;Internal Research;2018-04-06 00:00:00;85;Florian Roth;EXE,HKTL,FILE +SUSP_Imphash_PassRevealer_PY_EXE;Detects an imphash used by password revealer and hack tools;Internal Research;2018-04-06 00:00:00;40;Florian Roth;EXE,HKTL,FILE +MAL_Unknown_PWDumper_Apr18_3;Detects sample from unknown sample set - IL origin;Internal Research;2018-04-06 00:00:00;70;Florian Roth;EXE,HKTL,FILE +ProcessInjector_Gen;Detects a process injection utility that can be used ofr good and bad purposes;https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c;2018-04-23 00:00:00;60;Florian Roth;EXE,HKTL,FILE Lazagne_PW_Dumper;Detects Lazagne PW Dumper;https://github.com/AlessandroZ/LaZagne/releases/;2018-03-22 00:00:00;70;Markus Neis / Florian Roth;HKTL HKTL_shellpop_TCLsh;Detects suspicious TCLsh popshell;https://github.com/0x00-0x00/ShellPop;2018-05-18 00:00:00;70;Tobias Michalski;HKTL HKTL_shellpop_ruby;Detects suspicious ruby shellpop;https://github.com/0x00-0x00/ShellPop;2018-05-18 00:00:00;70;Tobias Michalski;HKTL @@ -1108,71 +1109,71 @@ SUSP_Powershell_ShellCommand_May18_1;Detects a supcicious powershell commandline HKTL_shellpop_Telnet_TCP;Detects malicious telnet shell;https://github.com/0x00-0x00/ShellPop;2018-05-18 00:00:00;70;Tobias Michalski;HKTL SUSP_shellpop_Bash;Detects susupicious bash command;https://github.com/0x00-0x00/ShellPop;2018-05-18 00:00:00;70;Tobias Michalski;HKTL HKTL_shellpop_netcat;Detects suspcious netcat shellpop;https://github.com/0x00-0x00/ShellPop;2018-05-18 00:00:00;70;Tobias Michalski;HKTL -HKTL_beRootexe;Detects beRoot.exe which checks common Windows missconfigurations;https://github.com/AlessandroZ/BeRoot/tree/master/Windows;2018-07-25 00:00:00;70;yarGen Rule Generator;HKTL,FILE,EXE +HKTL_beRootexe;Detects beRoot.exe which checks common Windows missconfigurations;https://github.com/AlessandroZ/BeRoot/tree/master/Windows;2018-07-25 00:00:00;70;yarGen Rule Generator;EXE,HKTL,FILE HKTL_beRootexe_output;Detects the output of beRoot.exe;https://github.com/AlessandroZ/BeRoot/tree/master/Windows;2018-07-25 00:00:00;70;Tobias Michalski;HKTL HKTL_EmbeddedPDF;Detects Embedded PDFs which can start malicious content;https://twitter.com/infosecn1nja/status/1021399595899731968?s=12;2018-07-25 00:00:00;70;Tobias Michalski;HKTL,FILE -HTKL_BlackBone_DriverInjector;Detects BlackBone Driver injector;https://github.com/DarthTon/Blackbone;2018-09-11 00:00:00;60;Florian Roth;HKTL,FILE,EXE +HTKL_BlackBone_DriverInjector;Detects BlackBone Driver injector;https://github.com/DarthTon/Blackbone;2018-09-11 00:00:00;60;Florian Roth;EXE,HKTL,FILE HKTL_SqlMap;Detects sqlmap hacktool;https://github.com/sqlmapproject/sqlmap;2018-10-09 00:00:00;70;Florian Roth;HKTL -HKTL_SqlMap_backdoor;Detects SqlMap backdoors;https://github.com/sqlmapproject/sqlmap;2018-10-09 00:00:00;70;Florian Roth;HKTL,MAL,FILE -HKTL_Lazagne_PasswordDumper_Dec18_1;Detects password dumper Lazagne often used by middle eastern threat groups;https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group;2018-12-11 00:00:00;85;Florian Roth;HKTL,FILE,EXE -HKTL_Lazagne_Gen_18;Detects Lazagne password extractor hacktool;https://github.com/AlessandroZ/LaZagne;2018-12-11 00:00:00;80;Florian Roth;HKTL,GEN -HKTL_NoPowerShell;Detects NoPowerShell hack tool;https://github.com/bitsadmin/nopowershell;2018-12-28 00:00:00;70;Florian Roth;HKTL,SCRIPT -HKTL_htran_go;Detects go based htran variant;-;2019-01-09 00:00:00;70;Jeff Beley;HKTL,FILE,EXE -SUSP_Katz_PDB;Detects suspicious PDB in file;Internal Research;2019-02-04 00:00:00;70;Florian Roth;HKTL,FILE,EXE -CrimsonRAT_Mar18_1;Detects CrimsonRAT malware;Internal Research;2018-03-06 00:00:00;70;Florian Roth;MAL,FILE,EXE +HKTL_SqlMap_backdoor;Detects SqlMap backdoors;https://github.com/sqlmapproject/sqlmap;2018-10-09 00:00:00;70;Florian Roth;MAL,HKTL,FILE +HKTL_Lazagne_PasswordDumper_Dec18_1;Detects password dumper Lazagne often used by middle eastern threat groups;https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group;2018-12-11 00:00:00;85;Florian Roth;EXE,HKTL,FILE +HKTL_Lazagne_Gen_18;Detects Lazagne password extractor hacktool;https://github.com/AlessandroZ/LaZagne;2018-12-11 00:00:00;80;Florian Roth;GEN,HKTL +HKTL_NoPowerShell;Detects NoPowerShell hack tool;https://github.com/bitsadmin/nopowershell;2018-12-28 00:00:00;70;Florian Roth;SCRIPT,HKTL +HKTL_htran_go;Detects go based htran variant;-;2019-01-09 00:00:00;70;Jeff Beley;EXE,HKTL,FILE +SUSP_Katz_PDB;Detects suspicious PDB in file;Internal Research;2019-02-04 00:00:00;70;Florian Roth;EXE,HKTL,FILE +CrimsonRAT_Mar18_1;Detects CrimsonRAT malware;Internal Research;2018-03-06 00:00:00;70;Florian Roth;MAL,EXE,FILE APT_HiddenCobra_enc_PK_header;Hidden Cobra - Detects trojan with encrypted header;https://www.us-cert.gov/ncas/analysis-reports/AR18-165A;2018-04-12 00:00:00;70;NCCIC trusted 3rd party - Edit: Tobias Michalski;NK,FILE -APT_HiddenCobra_import_obfuscation_2;Hidden Cobra - Detects remote access trojan;https://www.us-cert.gov/ncas/analysis-reports/AR18-165A;2018-04-12 00:00:00;70;NCCIC trusted 3rd party - Edit: Tobias Michalski;NK,OBFUS,FILE +APT_HiddenCobra_import_obfuscation_2;Hidden Cobra - Detects remote access trojan;https://www.us-cert.gov/ncas/analysis-reports/AR18-165A;2018-04-12 00:00:00;70;NCCIC trusted 3rd party - Edit: Tobias Michalski;OBFUS,NK,FILE APT_NK_AR18_165A_HiddenCobra_import_deob;Hidden Cobra - Detects installed proxy module as a service;https://www.us-cert.gov/ncas/analysis-reports/AR18-165A;2018-04-12 00:00:00;70;NCCIC trusted 3rd party - Edit: Tobias Michalski;NK,FILE -APT_NK_AR18_165A_1;Detects APT malware from AR18-165A report by US CERT;https://www.us-cert.gov/ncas/analysis-reports/AR18-165A;2018-06-15 00:00:00;70;Florian Roth;APT,FILE,EXE +APT_NK_AR18_165A_1;Detects APT malware from AR18-165A report by US CERT;https://www.us-cert.gov/ncas/analysis-reports/AR18-165A;2018-06-15 00:00:00;70;Florian Roth;EXE,APT,FILE Office_OLE_DDEAUTO;Detects DDE in MS Office documents;https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/;2017-10-12 00:00:00;50;NVISO Labs;OFFICE,FILE Office_OLE_DDE;Detects DDE in MS Office documents;https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/;2017-10-12 00:00:00;50;NVISO Labs;OFFICE,FILE -Duqu2_Sample1;Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi);https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/;2016-07-02 00:00:00;80;Florian Roth;INDIA,FILE,EXE -Duqu2_Sample2;Detects Duqu2 Malware;https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/;2016-07-02 00:00:00;80;Florian Roth;MAL,FILE,EXE -Duqu2_Sample3;Detects Duqu2 Malware;https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/;2016-07-02 00:00:00;80;Florian Roth;MAL,FILE,EXE -Duqu2_Sample4;Detects Duqu2 Malware;https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/;2016-07-02 00:00:00;80;Florian Roth;MAL,FILE,EXE -Duqu2_UAs;Detects Duqu2 Executable based on the specific UAs in the file;https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/;2016-07-02 00:00:00;80;Florian Roth;FILE,EXE -Rehashed_RAT_1;Detects malware from Rehashed RAT incident;https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations;2017-09-08 00:00:00;70;Florian Roth;MAL,FILE,EXE -Rehashed_RAT_2;Detects malware from Rehashed RAT incident;https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations;2017-09-08 00:00:00;70;Florian Roth;MAL,FILE,EXE -Rehashed_RAT_3;Detects malware from Rehashed RAT incident;https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations;2017-09-08 00:00:00;70;Florian Roth;MAL,FILE,EXE -APT15_Malware_Mar18_RoyalCli;Detects malware from APT 15 report by NCC Group;https://goo.gl/HZ5XMN;2018-03-10 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -APT15_Malware_Mar18_RoyalDNS;Detects malware from APT 15 report by NCC Group;https://goo.gl/HZ5XMN;2018-03-10 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -APT15_Malware_Mar18_BS2005;Detects malware from APT 15 report by NCC Group;https://goo.gl/HZ5XMN;2018-03-10 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -APT15_Malware_Mar18_MSExchangeTool;Detects malware from APT 15 report by NCC Group;https://goo.gl/HZ5XMN;2018-03-10 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE +Duqu2_Sample1;Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi);https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/;2016-07-02 00:00:00;80;Florian Roth;EXE,INDIA,FILE +Duqu2_Sample2;Detects Duqu2 Malware;https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/;2016-07-02 00:00:00;80;Florian Roth;MAL,EXE,FILE +Duqu2_Sample3;Detects Duqu2 Malware;https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/;2016-07-02 00:00:00;80;Florian Roth;MAL,EXE,FILE +Duqu2_Sample4;Detects Duqu2 Malware;https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/;2016-07-02 00:00:00;80;Florian Roth;MAL,EXE,FILE +Duqu2_UAs;Detects Duqu2 Executable based on the specific UAs in the file;https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/;2016-07-02 00:00:00;80;Florian Roth;EXE,FILE +Rehashed_RAT_1;Detects malware from Rehashed RAT incident;https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations;2017-09-08 00:00:00;70;Florian Roth;MAL,EXE,FILE +Rehashed_RAT_2;Detects malware from Rehashed RAT incident;https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations;2017-09-08 00:00:00;70;Florian Roth;MAL,EXE,FILE +Rehashed_RAT_3;Detects malware from Rehashed RAT incident;https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations;2017-09-08 00:00:00;70;Florian Roth;MAL,EXE,FILE +APT15_Malware_Mar18_RoyalCli;Detects malware from APT 15 report by NCC Group;https://goo.gl/HZ5XMN;2018-03-10 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +APT15_Malware_Mar18_RoyalDNS;Detects malware from APT 15 report by NCC Group;https://goo.gl/HZ5XMN;2018-03-10 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +APT15_Malware_Mar18_BS2005;Detects malware from APT 15 report by NCC Group;https://goo.gl/HZ5XMN;2018-03-10 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +APT15_Malware_Mar18_MSExchangeTool;Detects malware from APT 15 report by NCC Group;https://goo.gl/HZ5XMN;2018-03-10 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE clean_apt15_patchedcmd;This is a patched CMD. This is the CMD that RoyalCli uses.;-;1970-01-01 01:00:00;70;Ahmed Zaki;FILE malware_apt15_royalcli_1;Generic strings found in the Royal CLI tool;-;1970-01-01 01:00:00;70;David Cannings;GEN,FILE -malware_apt15_royalcli_2;APT15 RoyalCli backdoor;-;1970-01-01 01:00:00;70;Nikolaos Pantazopoulos;MAL,FILE,APT +malware_apt15_royalcli_2;APT15 RoyalCli backdoor;-;1970-01-01 01:00:00;70;Nikolaos Pantazopoulos;MAL,APT,FILE malware_apt15_royaldll;DLL implant, originally rights.dll and runs as a service;-;1970-01-01 01:00:00;70;David Cannings; -malware_apt15_royaldll_2;DNS backdoor used by APT15;-;1970-01-01 01:00:00;70;Ahmed Zaki;MAL,FILE,APT -malware_apt15_exchange_tool;This is a an exchange enumeration/hijacking tool used by an APT 15;-;1970-01-01 01:00:00;70;Ahmed Zaki;FILE,APT +malware_apt15_royaldll_2;DNS backdoor used by APT15;-;1970-01-01 01:00:00;70;Ahmed Zaki;MAL,APT,FILE +malware_apt15_exchange_tool;This is a an exchange enumeration/hijacking tool used by an APT 15;-;1970-01-01 01:00:00;70;Ahmed Zaki;APT,FILE malware_apt15_generic;Find generic data potentially relating to AP15 tools;-;1970-01-01 01:00:00;70;David Cannings; PowerShdll;Detects hack tool PowerShdll;https://github.com/p3nt4/PowerShdll;2017-08-03 00:00:00;70;Florian Roth; -Shifu_Banking_Trojan;Detects Shifu Banking Trojan;https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/;2015-09-01 00:00:00;70;Florian Roth;MAL,FILE,EXE -SHIFU_Banking_Trojan;Detects SHIFU Banking Trojan;http://goo.gl/52n8WE;2015-10-31 00:00:00;70;Florian Roth;MAL,FILE,EXE +Shifu_Banking_Trojan;Detects Shifu Banking Trojan;https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/;2015-09-01 00:00:00;70;Florian Roth;MAL,EXE,FILE +SHIFU_Banking_Trojan;Detects SHIFU Banking Trojan;http://goo.gl/52n8WE;2015-10-31 00:00:00;70;Florian Roth;MAL,EXE,FILE OilRig_Strings_Oct17;Detects strings from OilRig malware and malicious scripts;https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/;2017-10-18 00:00:00;70;Florian Roth;MIDDLE_EAST OilRig_ISMAgent_Campaign_Samples1;Detects OilRig malware from Unit 42 report in October 2017;https://goo.gl/JQVfFP;2017-10-18 00:00:00;70;Florian Roth;MIDDLE_EAST,FILE -OilRig_ISMAgent_Campaign_Samples2;Detects OilRig malware from Unit 42 report in October 2017;https://goo.gl/JQVfFP;2017-10-18 00:00:00;70;Florian Roth;MIDDLE_EAST,FILE,EXE -OilRig_ISMAgent_Campaign_Samples3;Detects OilRig malware from Unit 42 report in October 2017;https://goo.gl/JQVfFP;2017-10-18 00:00:00;70;Florian Roth;MIDDLE_EAST,FILE,EXE -MAL_Hogfish_Report_Related_Sample;Detects APT10 / Hogfish related samples;https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf;2018-05-01 00:00:00;70;Florian Roth;CHINA,APT,FILE,EXE -MAL_RedLeaves_Apr18_1;Detects RedLeaves malware;https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf;2018-05-01 00:00:00;70;Florian Roth;FILE,EXE -asp_file;Laudanum Injector Tools - file file.asp;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,FILE,WEBSHELL -php_killnc;Laudanum Injector Tools - file killnc.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -asp_shell;Laudanum Injector Tools - file shell.asp;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -settings;Laudanum Injector Tools - file settings.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -asp_proxy;Laudanum Injector Tools - file proxy.asp;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -cfm_shell;Laudanum Injector Tools - file shell.cfm;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -aspx_shell;Laudanum Injector Tools - file shell.aspx;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -php_shell;Laudanum Injector Tools - file shell.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -php_reverse_shell;Laudanum Injector Tools - file php-reverse-shell.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -php_dns;Laudanum Injector Tools - file dns.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -WEB_INF_web;Laudanum Injector Tools - file web.xml;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -jsp_cmd;Laudanum Injector Tools - file cmd.war;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,FILE,WEBSHELL -laudanum;Laudanum Injector Tools - file laudanum.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -php_file;Laudanum Injector Tools - file file.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -warfiles_cmd;Laudanum Injector Tools - file cmd.jsp;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -asp_dns;Laudanum Injector Tools - file dns.asp;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -php_reverse_shell_2;Laudanum Injector Tools - file php-reverse-shell.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -Laudanum_Tools_Generic;Laudanum Injector Tools;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;HKTL,WEBSHELL -ce_enfal_cmstar_debug_msg;Detects the static debug strings within CMSTAR;http://goo.gl/JucrP9;2015-05-10 00:00:00;70;rfalcone;FILE,EXE +OilRig_ISMAgent_Campaign_Samples2;Detects OilRig malware from Unit 42 report in October 2017;https://goo.gl/JQVfFP;2017-10-18 00:00:00;70;Florian Roth;EXE,MIDDLE_EAST,FILE +OilRig_ISMAgent_Campaign_Samples3;Detects OilRig malware from Unit 42 report in October 2017;https://goo.gl/JQVfFP;2017-10-18 00:00:00;70;Florian Roth;EXE,MIDDLE_EAST,FILE +MAL_Hogfish_Report_Related_Sample;Detects APT10 / Hogfish related samples;https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf;2018-05-01 00:00:00;70;Florian Roth;EXE,APT,CHINA,FILE +MAL_RedLeaves_Apr18_1;Detects RedLeaves malware;https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf;2018-05-01 00:00:00;70;Florian Roth;EXE,FILE +asp_file;Laudanum Injector Tools - file file.asp;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL,FILE +php_killnc;Laudanum Injector Tools - file killnc.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +asp_shell;Laudanum Injector Tools - file shell.asp;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +settings;Laudanum Injector Tools - file settings.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +asp_proxy;Laudanum Injector Tools - file proxy.asp;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +cfm_shell;Laudanum Injector Tools - file shell.cfm;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +aspx_shell;Laudanum Injector Tools - file shell.aspx;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +php_shell;Laudanum Injector Tools - file shell.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +php_reverse_shell;Laudanum Injector Tools - file php-reverse-shell.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +php_dns;Laudanum Injector Tools - file dns.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +WEB_INF_web;Laudanum Injector Tools - file web.xml;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +jsp_cmd;Laudanum Injector Tools - file cmd.war;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL,FILE +laudanum;Laudanum Injector Tools - file laudanum.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +php_file;Laudanum Injector Tools - file file.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +warfiles_cmd;Laudanum Injector Tools - file cmd.jsp;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +asp_dns;Laudanum Injector Tools - file dns.asp;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +php_reverse_shell_2;Laudanum Injector Tools - file php-reverse-shell.php;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +Laudanum_Tools_Generic;Laudanum Injector Tools;http://laudanum.inguardians.com/;2015-06-22 00:00:00;70;Florian Roth;WEBSHELL,HKTL +ce_enfal_cmstar_debug_msg;Detects the static debug strings within CMSTAR;http://goo.gl/JucrP9;2015-05-10 00:00:00;70;rfalcone;EXE,FILE EquationGroup_emptycriss;Equation Group hack tool leaked by ShadowBrokers- file emptycriss;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-08 00:00:00;70;Florian Roth;HKTL EquationGroup_scripme;Equation Group hack tool leaked by ShadowBrokers- file scripme;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-08 00:00:00;70;Florian Roth;HKTL EquationGroup_cryptTool;Equation Group hack tool leaked by ShadowBrokers- file cryptTool;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-08 00:00:00;70;Florian Roth;HKTL,FILE @@ -1232,13 +1233,13 @@ EquationGroup__magicjack_v1_1_0_0_client;Equation Group hack tool leaked by Shad EquationGroup__ftshell;Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-08 00:00:00;70;Florian Roth;HKTL,FILE EquationGroup_store_linux_i386_v_3_3_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE EquationGroup_morerats_client_genkey;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth; -EquationGroup_cursetingle_2_0_1_2_mswin32_v_2_0_1;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_cursesleepy_mswin32_v_1_0_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE,EXE +EquationGroup_cursetingle_2_0_1_2_mswin32_v_2_0_1;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_cursesleepy_mswin32_v_1_0_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;EXE,FILE EquationGroup_porkserver_v3_0_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE -EquationGroup_cursehelper_win2k_i686_v_2_2_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE,EXE +EquationGroup_cursehelper_win2k_i686_v_2_2_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;EXE,FILE EquationGroup_morerats_client_addkey;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth; EquationGroup_noclient_3_3_2;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth; -EquationGroup_curseflower_mswin32_v_1_0_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE,EXE +EquationGroup_curseflower_mswin32_v_1_0_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;EXE,FILE EquationGroup_tmpwatch;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth; EquationGroup_orleans_stride_sunos5_9_v_2_4_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE EquationGroup_morerats_client_noprep;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth; @@ -1247,170 +1248,170 @@ EquationGroup_seconddate_ImplantStandalone_3_0_3;Equation Group hack tool set;ht EquationGroup_watcher_solaris_i386_v_3_3_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE EquationGroup_gr_dev_bin_now;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth; EquationGroup_gr_dev_bin_post;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth; -EquationGroup_curseyo_win2k_v_1_0_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE,EXE +EquationGroup_curseyo_win2k_v_1_0_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;EXE,FILE EquationGroup_gr;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth; -EquationGroup_curseroot_win2k_v_2_1_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_cursewham_curserazor_cursezinger_curseroot_win2k;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE,EXE +EquationGroup_curseroot_win2k_v_2_1_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_cursewham_curserazor_cursezinger_curseroot_win2k;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;EXE,FILE EquationGroup_watcher_linux_i386_v_3_3_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE -EquationGroup_charm_saver_win2k_v_2_0_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_cursehappy_win2k_v_6_1_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE,EXE +EquationGroup_charm_saver_win2k_v_2_0_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_cursehappy_win2k_v_6_1_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;EXE,FILE EquationGroup_morerats_client_Store;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE EquationGroup_watcher_linux_x86_64_v_3_3_0;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE EquationGroup_linux_exactchange;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE EquationGroup_x86_linux_exactchange;Equation Group hack tool set;https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1;2017-04-09 00:00:00;70;Florian Roth;FILE -EquationGroup_Toolset_Apr17_Eclipsedwing_Rpcproxy_Pcdlllauncher;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Explodingcantouch_1_2_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Architouch_1_0_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Esteemaudit_2_1_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Darkpulsar_1_1_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Educatedscholar_1_0_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Erraticgophertouch_1_0_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Smbtouch_1_1_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Educatedscholartouch_1_0_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Esteemaudittouch_2_1_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Rpctouch_2_1_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Mofconfig_1_0_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Easypi_Explodingcan;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Eclipsedwingtouch_1_0_4;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Iistouch_1_2_2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Namedpipetouch_2_0_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Easybee_1_0_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Regread_1_1_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Englishmansdentist_1_2_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Eternalromance_2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__Emphasismine;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Eternalromance;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Gen4;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Gen1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Gen2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Gen3;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_yak;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_AdUser_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_RemoteExecute_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Banner_Implant9x;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_greatdoc_dll_config;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_scanner;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Mcl_NtMemory_Std;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_tacothief;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_ntevt;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Processes_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_st_lp;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_EpWrapper;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_DiBa_Target_2000;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_DllLoad_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_EXPA;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_RemoteExecute_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_DS_ParseLogs;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Oracle_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_DmGz_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_SetResourceName;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_drivers_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Shares_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_ntfltmgr;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_DiBa_Target_BH;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_PC_LP;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_RemoteCommand_Lp;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_lp_mstcp;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_renamer;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_PC_Exploit;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_PC_Level3_Gen;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_put_Implant9x;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_promiscdetect_safe;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_PacketScan_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_SetPorts;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_GrDo_FileScanner_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_msgks_mskgu;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Ifconfig_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_DiBa_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Dsz_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_GenKey;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_wmi_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_clocksvc;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_xxxRIDEAREA;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_yak_min_install;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_SetOurAddr;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_GetAdmin_LSADUMP_ModifyPrivilege_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_SendPKTrigger;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_DmGz_Target_2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_mstcp32_DXGHLP16_tdip;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_regprobe;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_GangsterThief_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_SetCallbackPorts;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_DiBa_Target_BH_2000;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_rc5;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_PC_Level_Generic;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_PC_Level3_http_exe;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_ParseCapture;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_ActiveDirectory_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_PC_Legacy_dll;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_svctouch;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_pwd_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_KisuComms_Target_2000;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_SlDecoder;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_Windows_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_3;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17_SetCallback;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__vtuner_vtuner_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__SendCFTrigger_SendPKTrigger_6;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__AddResource;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__ESKE_RPC2_8;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__LSADUMP_Lp_ModifyPrivilege_Lp_PacketScan_Lp_put_Lp_RemoteExecute_Lp_Windows_Lp_wmi_Lp_9;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__ETBL_ETRE_10;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__ELV_ESKE_ETBL_ETRE_EVFR_11;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RideArea2_12;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__ELV_ESKE_13;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__NameProbe_SMBTOUCH_14;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RPC2_15;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_16;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE -EquationGroup_Toolset_Apr17__ETBL_ETRE_SMBTOUCH_17;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;FILE,EXE +EquationGroup_Toolset_Apr17_Eclipsedwing_Rpcproxy_Pcdlllauncher;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Explodingcantouch_1_2_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Architouch_1_0_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Esteemaudit_2_1_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Darkpulsar_1_1_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Educatedscholar_1_0_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Erraticgophertouch_1_0_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Smbtouch_1_1_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Educatedscholartouch_1_0_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Esteemaudittouch_2_1_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Rpctouch_2_1_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Mofconfig_1_0_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Easypi_Explodingcan;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Eclipsedwingtouch_1_0_4;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Iistouch_1_2_2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Namedpipetouch_2_0_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Easybee_1_0_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Regread_1_1_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Englishmansdentist_1_2_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Eternalromance_2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__Emphasismine;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Eternalromance;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Gen4;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Gen1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Gen2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Gen3;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_yak;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_AdUser_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_RemoteExecute_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Banner_Implant9x;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_greatdoc_dll_config;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_scanner;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Mcl_NtMemory_Std;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_tacothief;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_ntevt;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Processes_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_st_lp;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_EpWrapper;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_DiBa_Target_2000;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_DllLoad_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_EXPA;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_RemoteExecute_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_DS_ParseLogs;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Oracle_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_DmGz_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_SetResourceName;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_drivers_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Shares_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_ntfltmgr;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_DiBa_Target_BH;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_PC_LP;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_RemoteCommand_Lp;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_lp_mstcp;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_renamer;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_PC_Exploit;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_PC_Level3_Gen;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_put_Implant9x;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_promiscdetect_safe;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_PacketScan_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_SetPorts;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_GrDo_FileScanner_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_msgks_mskgu;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Ifconfig_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_DiBa_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Dsz_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_GenKey;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_wmi_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_clocksvc;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_xxxRIDEAREA;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_yak_min_install;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_SetOurAddr;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_GetAdmin_LSADUMP_ModifyPrivilege_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_SendPKTrigger;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_DmGz_Target_2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_mstcp32_DXGHLP16_tdip;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_regprobe;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_GangsterThief_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_SetCallbackPorts;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_DiBa_Target_BH_2000;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_rc5;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_PC_Level_Generic;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_PC_Level3_http_exe;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_ParseCapture;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_ActiveDirectory_Target;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_PC_Legacy_dll;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_svctouch;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_pwd_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_KisuComms_Target_2000;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_SlDecoder;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_Windows_Implant;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_3;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17_SetCallback;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__vtuner_vtuner_1;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__SendCFTrigger_SendPKTrigger_6;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__AddResource;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__ESKE_RPC2_8;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__LSADUMP_Lp_ModifyPrivilege_Lp_PacketScan_Lp_put_Lp_RemoteExecute_Lp_Windows_Lp_wmi_Lp_9;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__ETBL_ETRE_10;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__ELV_ESKE_ETBL_ETRE_EVFR_11;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RideArea2_12;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__ELV_ESKE_13;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__NameProbe_SMBTOUCH_14;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RPC2_15;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_16;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE +EquationGroup_Toolset_Apr17__ETBL_ETRE_SMBTOUCH_17;Detects EquationGroup Tool - April Leak;https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation;2017-04-15 00:00:00;70;Florian Roth;EXE,FILE EquationGroup_scanner_output;Detects output generated by EQGRP scanner.exe;Internal Research;2017-04-17 00:00:00;70;Florian Roth; -b374k_back_connect;Detects privilege escalation tool;Internal Analysis;2016-08-18 00:00:00;80;Florian Roth;FILE,EXE +b374k_back_connect;Detects privilege escalation tool;Internal Analysis;2016-08-18 00:00:00;80;Florian Roth;EXE,FILE CN_disclosed_20180208_lsls;Detects malware from disclosed CN malware set;https://twitter.com/cyberintproject/status/961714165550342146;2018-02-08 00:00:00;70;Florian Roth;FILE -CN_disclosed_20180208_c;Detects malware from disclosed CN malware set;https://twitter.com/cyberintproject/status/961714165550342146;2018-02-08 00:00:00;70;Florian Roth;FILE,EXE -CN_disclosed_20180208_System3;Detects malware from disclosed CN malware set;https://twitter.com/cyberintproject/status/961714165550342146;2018-02-08 00:00:00;70;Florian Roth;FILE,EXE -CN_disclosed_20180208_Mal1;Detects malware from disclosed CN malware set;https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details;2018-02-08 00:00:00;70;Florian Roth;FILE,EXE -CN_disclosed_20180208_KeyLogger_1;Detects malware from disclosed CN malware set;https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details;2018-02-08 00:00:00;70;Florian Roth;FILE,EXE -CN_disclosed_20180208_Mal4;Detects malware from disclosed CN malware set;https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details;2018-02-08 00:00:00;70;Florian Roth;FILE,EXE -CN_disclosed_20180208_Mal5;Detects malware from disclosed CN malware set;https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details;2018-02-08 00:00:00;70;Florian Roth;FILE,EXE +CN_disclosed_20180208_c;Detects malware from disclosed CN malware set;https://twitter.com/cyberintproject/status/961714165550342146;2018-02-08 00:00:00;70;Florian Roth;EXE,FILE +CN_disclosed_20180208_System3;Detects malware from disclosed CN malware set;https://twitter.com/cyberintproject/status/961714165550342146;2018-02-08 00:00:00;70;Florian Roth;EXE,FILE +CN_disclosed_20180208_Mal1;Detects malware from disclosed CN malware set;https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details;2018-02-08 00:00:00;70;Florian Roth;EXE,FILE +CN_disclosed_20180208_KeyLogger_1;Detects malware from disclosed CN malware set;https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details;2018-02-08 00:00:00;70;Florian Roth;EXE,FILE +CN_disclosed_20180208_Mal4;Detects malware from disclosed CN malware set;https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details;2018-02-08 00:00:00;70;Florian Roth;EXE,FILE +CN_disclosed_20180208_Mal5;Detects malware from disclosed CN malware set;https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details;2018-02-08 00:00:00;70;Florian Roth;EXE,FILE APT_Liudoor;Detects Liudoor daemon backdoor;-;2015-07-23 00:00:00;70;RSA FirstWatch;MAL -ScanBox_Malware_Generic;Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP;-;2015-02-28 00:00:00;70;Florian Roth;CHINA,MAL,APT +ScanBox_Malware_Generic;Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP;-;2015-02-28 00:00:00;70;Florian Roth;MAL,APT,CHINA FourElementSword_Config_File;Detects FourElementSword Malware - file f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL -FourElementSword_T9000;Detects FourElementSword Malware - file 5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,FILE,EXE -FourElementSword_32DLL;Detects FourElementSword Malware - file 7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,FILE,EXE -FourElementSword_Keyainst_EXE;Detects FourElementSword Malware - file cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,FILE,EXE -FourElementSword_ElevateDLL_2;Detects FourElementSword Malware - file 9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,FILE,EXE -FourElementSword_fslapi_dll_gui;Detects FourElementSword Malware - file 2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,FILE,EXE -FourElementSword_PowerShell_Start;Detects FourElementSword Malware - file 9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;SCRIPT,MAL +FourElementSword_T9000;Detects FourElementSword Malware - file 5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,EXE,FILE +FourElementSword_32DLL;Detects FourElementSword Malware - file 7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,EXE,FILE +FourElementSword_Keyainst_EXE;Detects FourElementSword Malware - file cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,EXE,FILE +FourElementSword_ElevateDLL_2;Detects FourElementSword Malware - file 9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,EXE,FILE +FourElementSword_fslapi_dll_gui;Detects FourElementSword Malware - file 2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,EXE,FILE +FourElementSword_PowerShell_Start;Detects FourElementSword Malware - file 9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,SCRIPT FourElementSword_ResN32DLL;Detects FourElementSword Malware - file bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL -FourElementSword_ElevateDLL;Detects FourElementSword Malware;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,FILE,EXE +FourElementSword_ElevateDLL;Detects FourElementSword Malware;https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/;2016-04-18 00:00:00;70;Florian Roth;MAL,EXE,FILE Venom_Rootkit;Venom Linux Rootkit;https://security.web.cern.ch/security/venom.shtml;2017-01-12 00:00:00;70;Florian Roth;MAL,LINUX APT_FIN7_Strings_Aug18_1;Detects strings from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA -APT_FIN7_Sample_Aug18_2;Detects FIN7 malware sample;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;FILE,RUSSIA +APT_FIN7_Sample_Aug18_2;Detects FIN7 malware sample;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE APT_FIN7_MalDoc_Aug18_1;Detects malicious Doc from FIN7 campaign;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA -APT_FIN7_Sample_Aug18_1;Detects FIN7 samples mentioned in FireEye report;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;FILE,RUSSIA -APT_FIN7_EXE_Sample_Aug18_1;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -APT_FIN7_EXE_Sample_Aug18_2;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -APT_FIN7_EXE_Sample_Aug18_3;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -APT_FIN7_EXE_Sample_Aug18_4;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -APT_FIN7_EXE_Sample_Aug18_5;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -APT_FIN7_EXE_Sample_Aug18_6;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -APT_FIN7_EXE_Sample_Aug18_7;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -APT_FIN7_EXE_Sample_Aug18_8;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -APT_FIN7_EXE_Sample_Aug18_10;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -APT_FIN7_Sample_EXE_Aug18_1;Detects FIN7 Sample;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -MAL_ExileRAT_Feb19_1;Detects Exile RAT;https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html;2019-02-04 00:00:00;70;Florian Roth;MAL,FILE,EXE -Xtreme_Sep17_1;Detects XTREME sample analyzed in September 2017;Internal Research;2017-09-27 00:00:00;70;Florian Roth;FILE,EXE -Xtreme_Sep17_2;Detects XTREME sample analyzed in September 2017;Internal Research;2017-09-27 00:00:00;70;Florian Roth;FILE,EXE -Xtreme_Sep17_3;Detects XTREME sample analyzed in September 2017;Internal Research;2017-09-27 00:00:00;70;Florian Roth;FILE,EXE -Xtreme_RAT_Gen_Imp;Detects XTREME sample analyzed in September 2017;Internal Research;2017-09-27 00:00:00;70;Florian Roth;GEN,MAL,FILE,EXE +APT_FIN7_Sample_Aug18_1;Detects FIN7 samples mentioned in FireEye report;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;RUSSIA,FILE +APT_FIN7_EXE_Sample_Aug18_1;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +APT_FIN7_EXE_Sample_Aug18_2;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +APT_FIN7_EXE_Sample_Aug18_3;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +APT_FIN7_EXE_Sample_Aug18_4;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +APT_FIN7_EXE_Sample_Aug18_5;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +APT_FIN7_EXE_Sample_Aug18_6;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +APT_FIN7_EXE_Sample_Aug18_7;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +APT_FIN7_EXE_Sample_Aug18_8;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +APT_FIN7_EXE_Sample_Aug18_10;Detects sample from FIN7 report in August 2018;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +APT_FIN7_Sample_EXE_Aug18_1;Detects FIN7 Sample;https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html;2018-08-01 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +MAL_ExileRAT_Feb19_1;Detects Exile RAT;https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html;2019-02-04 00:00:00;70;Florian Roth;MAL,EXE,FILE +Xtreme_Sep17_1;Detects XTREME sample analyzed in September 2017;Internal Research;2017-09-27 00:00:00;70;Florian Roth;EXE,FILE +Xtreme_Sep17_2;Detects XTREME sample analyzed in September 2017;Internal Research;2017-09-27 00:00:00;70;Florian Roth;EXE,FILE +Xtreme_Sep17_3;Detects XTREME sample analyzed in September 2017;Internal Research;2017-09-27 00:00:00;70;Florian Roth;EXE,FILE +Xtreme_RAT_Gen_Imp;Detects XTREME sample analyzed in September 2017;Internal Research;2017-09-27 00:00:00;70;Florian Roth;MAL,EXE,GEN,FILE FiveEyes_QUERTY_Malwareqwerty_20121;FiveEyes QUERTY Malware - file 20121.xml;http://www.spiegel.de/media/media-35668.pdf;2015-01-18 00:00:00;70;Florian Roth;MAL FiveEyes_QUERTY_Malwaresig_20123_sys;FiveEyes QUERTY Malware - file 20123.sys.bin;http://www.spiegel.de/media/media-35668.pdf;2015-01-18 00:00:00;70;Florian Roth;MAL FiveEyes_QUERTY_Malwaresig_20123_cmdDef;FiveEyes QUERTY Malware - file 20123_cmdDef.xml;http://www.spiegel.de/media/media-35668.pdf;2015-01-18 00:00:00;70;Florian Roth;MAL @@ -1420,186 +1421,186 @@ FiveEyes_QUERTY_Malwaresig_20120_dll;FiveEyes QUERTY Malware - file 20120.dll.bi FiveEyes_QUERTY_Malwaresig_20120_cmdDef;FiveEyes QUERTY Malware - file 20120_cmdDef.xml;http://www.spiegel.de/media/media-35668.pdf;2015-01-18 00:00:00;70;Florian Roth;MAL FiveEyes_QUERTY_Malwareqwerty_20120;FiveEyes QUERTY Malware - file 20120.xml;http://www.spiegel.de/media/media-35668.pdf;2015-01-18 00:00:00;70;Florian Roth;MAL FiveEyes_QUERTY_Malwaresig_20121_cmdDef;FiveEyes QUERTY Malware - file 20121_cmdDef.xml;http://www.spiegel.de/media/media-35668.pdf;2015-01-18 00:00:00;70;Florian Roth;MAL -WinDivert_Driver;Detects WinDivert User-Mode packet capturing driver;https://www.reqrypt.org/windivert.html;2017-10-02 00:00:00;40;Florian Roth;FILE,EXE +WinDivert_Driver;Detects WinDivert User-Mode packet capturing driver;https://www.reqrypt.org/windivert.html;2017-10-02 00:00:00;40;Florian Roth;EXE,FILE blackenergy3_installer;Matches unique code block for import name construction ;https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf;2015-05-29 00:00:00;70;Mike Schladt; -Win_PrivEsc_gp3finder_v4_0;Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe;http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/;2016-06-02 00:00:00;80;Florian Roth;FILE,EXE +Win_PrivEsc_gp3finder_v4_0;Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe;http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/;2016-06-02 00:00:00;80;Florian Roth;EXE,FILE Win_PrivEsc_folderperm;Detects a tool that can be used for privilege escalation - file folderperm.ps1;http://www.greyhathacker.net/?p=738;2016-06-02 00:00:00;80;Florian Roth; Win_PrivEsc_ADACLScan4_3;Detects a tool that can be used for privilege escalation - file ADACLScan4.3.ps1;https://adaclscan.codeplex.com/;2016-06-02 00:00:00;60;Florian Roth; -MAL_Nitol_Malware_Jan19_1;Detects Nitol Malware;https://twitter.com/shotgunner101/status/1084602413691166721;2019-01-14 00:00:00;70;Florian Roth;MAL,FILE,EXE -Mal_Dropper_httpEXE_from_CAB;Detects a dropper from a CAB file mentioned in the article;https://goo.gl/13Wgy1;2016-05-25 00:00:00;60;Florian Roth;MAL,FILE,EXE -Mal_http_EXE;Detects trojan from APT report named http.exe;https://goo.gl/13Wgy1;2016-05-25 00:00:00;80;Florian Roth;APT,FILE,EXE -Mal_PotPlayer_DLL;Detects a malicious PotPlayer.dll;https://goo.gl/13Wgy1;2016-05-25 00:00:00;70;Florian Roth;FILE,EXE +MAL_Nitol_Malware_Jan19_1;Detects Nitol Malware;https://twitter.com/shotgunner101/status/1084602413691166721;2019-01-14 00:00:00;70;Florian Roth;MAL,EXE,FILE +Mal_Dropper_httpEXE_from_CAB;Detects a dropper from a CAB file mentioned in the article;https://goo.gl/13Wgy1;2016-05-25 00:00:00;60;Florian Roth;MAL,EXE,FILE +Mal_http_EXE;Detects trojan from APT report named http.exe;https://goo.gl/13Wgy1;2016-05-25 00:00:00;80;Florian Roth;EXE,APT,FILE +Mal_PotPlayer_DLL;Detects a malicious PotPlayer.dll;https://goo.gl/13Wgy1;2016-05-25 00:00:00;70;Florian Roth;EXE,FILE Recon_Commands_Windows_Gen1;Detects a set of reconnaissance commands on Windows systems;Internal Research, https://goo.gl/MSJCxP;2017-07-10 00:00:00;60;Florian Roth;KEYWORD -Monsoon_APT_Malware_1;Detects malware from Monsoon APT;http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2;2017-09-08 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Monsoon_APT_Malware_2;Detects malware from Monsoon APT;http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2;2017-09-08 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -GRIZZLY_STEPPE_Malware_1;Auto-generated rule - file HRDG022184_certclint.dll;https://goo.gl/WVflzO;2016-12-29 00:00:00;70;Florian Roth;MAL,FILE,EXE -GRIZZLY_STEPPE_Malware_2;Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0;https://goo.gl/WVflzO;2016-12-29 00:00:00;70;Florian Roth;MAL,FILE,EXE +Monsoon_APT_Malware_1;Detects malware from Monsoon APT;http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2;2017-09-08 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Monsoon_APT_Malware_2;Detects malware from Monsoon APT;http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2;2017-09-08 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +GRIZZLY_STEPPE_Malware_1;Auto-generated rule - file HRDG022184_certclint.dll;https://goo.gl/WVflzO;2016-12-29 00:00:00;70;Florian Roth;MAL,EXE,FILE +GRIZZLY_STEPPE_Malware_2;Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0;https://goo.gl/WVflzO;2016-12-29 00:00:00;70;Florian Roth;MAL,EXE,FILE PAS_TOOL_PHP_WEB_KIT_mod;Detects PAS Tool PHP Web Kit;https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity;2016-12-29 00:00:00;70;US CERT - modified by Florian Roth due to performance reasons; WebShell_PHP_Web_Kit_v3;Detects PAS Tool PHP Web Kit;https://github.com/wordfence/grizzly;2016-01-01 00:00:00;70;Florian Roth; WebShell_PHP_Web_Kit_v4;Detects PAS Tool PHP Web Kit;https://github.com/wordfence/grizzly;2016-01-01 00:00:00;70;Florian Roth; -IronPanda_DNSTunClient;Iron Panda malware DnsTunClient - file named.exe;https://goo.gl/E4qia9;2015-09-16 00:00:00;80;Florian Roth;CHINA,FILE,EXE -IronPanda_Malware1;Iron Panda Malware;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -IronPanda_Webshell_JSP;Iron Panda Malware JSP;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;CHINA,MAL,WEBSHELL -IronPanda_Malware_Htran;Iron Panda Malware Htran;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -IronPanda_Malware2;Iron Panda Malware;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -IronPanda_Malware3;Iron Panda Malware;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -IronPanda_Malware4;Iron Panda Malware;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE +IronPanda_DNSTunClient;Iron Panda malware DnsTunClient - file named.exe;https://goo.gl/E4qia9;2015-09-16 00:00:00;80;Florian Roth;EXE,CHINA,FILE +IronPanda_Malware1;Iron Panda Malware;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +IronPanda_Webshell_JSP;Iron Panda Malware JSP;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;MAL,WEBSHELL,CHINA +IronPanda_Malware_Htran;Iron Panda Malware Htran;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +IronPanda_Malware2;Iron Panda Malware;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +IronPanda_Malware3;Iron Panda Malware;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +IronPanda_Malware4;Iron Panda Malware;https://goo.gl/E4qia9;2015-09-16 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE WinPayloads_PowerShell;Detects WinPayloads PowerShell Payload;https://github.com/nccgroup/Winpayloads;2017-07-11 00:00:00;70;Florian Roth;SCRIPT -WinPayloads_Payload;Detects WinPayloads Payload;https://github.com/nccgroup/Winpayloads;2017-07-11 00:00:00;70;Florian Roth;FILE,EXE +WinPayloads_Payload;Detects WinPayloads Payload;https://github.com/nccgroup/Winpayloads;2017-07-11 00:00:00;70;Florian Roth;EXE,FILE Trojan_ISMRAT_gen;ISM RAT;https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/february/ism-rat/;1970-01-01 01:00:00;70;Ahmed Zaki;MAL,FILE -HiddenCobra_Rule_1;Detects Hidden Cobra Malware;https://www.us-cert.gov/ncas/alerts/TA17-164A;2017-06-13 00:00:00;70;US CERT;NK,MAL -HiddenCobra_Rule_3;Detects Hidden Cobra Malware;https://www.us-cert.gov/ncas/alerts/TA17-164A;2017-06-13 00:00:00;70;US CERT;NK,MAL -APT_HiddenCobra_GhostSecret_1;Detects Hidden Cobra Sample;https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/;2018-08-11 00:00:00;70;Florian Roth;NK,FILE,EXE -APT_HiddenCobra_GhostSecret_2;Detects Hidden Cobra Sample;https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/;2018-08-11 00:00:00;70;Florian Roth;NK,FILE,EXE -APT_ME_BigBang_Gen_Jul18_1;Detects malware from Big Bang campaign against Palestinian authorities;https://research.checkpoint.com/apt-attack-middle-east-big-bang/;2018-07-09 00:00:00;70;Florian Roth;GEN,FILE,EXE -APT_ME_BigBang_Mal_Jul18_1;Detects malware from Big Bang report;https://research.checkpoint.com/apt-attack-middle-east-big-bang/;2018-07-09 00:00:00;70;Florian Roth;FILE,EXE +HiddenCobra_Rule_1;Detects Hidden Cobra Malware;https://www.us-cert.gov/ncas/alerts/TA17-164A;2017-06-13 00:00:00;70;US CERT;MAL,NK +HiddenCobra_Rule_3;Detects Hidden Cobra Malware;https://www.us-cert.gov/ncas/alerts/TA17-164A;2017-06-13 00:00:00;70;US CERT;MAL,NK +APT_HiddenCobra_GhostSecret_1;Detects Hidden Cobra Sample;https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/;2018-08-11 00:00:00;70;Florian Roth;EXE,NK,FILE +APT_HiddenCobra_GhostSecret_2;Detects Hidden Cobra Sample;https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/;2018-08-11 00:00:00;70;Florian Roth;EXE,NK,FILE +APT_ME_BigBang_Gen_Jul18_1;Detects malware from Big Bang campaign against Palestinian authorities;https://research.checkpoint.com/apt-attack-middle-east-big-bang/;2018-07-09 00:00:00;70;Florian Roth;GEN,EXE,FILE +APT_ME_BigBang_Mal_Jul18_1;Detects malware from Big Bang report;https://research.checkpoint.com/apt-attack-middle-east-big-bang/;2018-07-09 00:00:00;70;Florian Roth;EXE,FILE ACE_Containing_EXE;Looks for ACE Archives containing an exe/scr file;-;2015-09-09 00:00:00;50;Florian Roth - based on Nick Hoffman' rule - Morphick Inc;FILE -Beacon_K5om;Detects Meterpreter Beacon - file K5om.dll;https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html;2017-06-07 00:00:00;70;Florian Roth;HKTL,METASPLOIT,FILE,EXE +Beacon_K5om;Detects Meterpreter Beacon - file K5om.dll;https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html;2017-06-07 00:00:00;70;Florian Roth;EXE,METASPLOIT,HKTL,FILE FE_LEGALSTRIKE_MACRO;This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7.;-;2017-06-02 00:00:00;70;Ian.Ahl@fireeye.com @TekDefense - modified by Florian Roth; -FE_LEGALSTRIKE_RTF;Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom;-;2017-06-02 00:00:00;70;joshua.kim@FireEye. - modified by Florian Roth;FILE,EXPLOIT -ProjectM_DarkComet_1;Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157;http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/;2016-03-26 00:00:00;70;Florian Roth;MAL,FILE,EXE -ProjectM_CrimsonDownloader;Detects ProjectM Malware - file dc8bd60695070152c94cbeb5f61eca6e4309b8966f1aa9fdc2dd0ab754ad3e4c;http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/;2016-03-26 00:00:00;70;Florian Roth;MAL,FILE,EXE -Casper_Backdoor_x86;Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo;http://goo.gl/VRJNLo;2015-03-05 00:00:00;80;Florian Roth;HKTL,MAL -Casper_EXE_Dropper;Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo;http://goo.gl/VRJNLo;2015-03-05 00:00:00;80;Florian Roth;HKTL,MAL +FE_LEGALSTRIKE_RTF;Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom;-;2017-06-02 00:00:00;70;joshua.kim@FireEye. - modified by Florian Roth;EXPLOIT,FILE +ProjectM_DarkComet_1;Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157;http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/;2016-03-26 00:00:00;70;Florian Roth;MAL,EXE,FILE +ProjectM_CrimsonDownloader;Detects ProjectM Malware - file dc8bd60695070152c94cbeb5f61eca6e4309b8966f1aa9fdc2dd0ab754ad3e4c;http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/;2016-03-26 00:00:00;70;Florian Roth;MAL,EXE,FILE +Casper_Backdoor_x86;Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo;http://goo.gl/VRJNLo;2015-03-05 00:00:00;80;Florian Roth;MAL,HKTL +Casper_EXE_Dropper;Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo;http://goo.gl/VRJNLo;2015-03-05 00:00:00;80;Florian Roth;MAL,HKTL Casper_Included_Strings;Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo;http://goo.gl/VRJNLo;2015-03-06 00:00:00;50;Florian Roth;MAL Casper_SystemInformation_Output;Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo;http://goo.gl/VRJNLo;2015-03-06 00:00:00;70;Florian Roth;MAL -Andromeda_MalBot_Jun_1A;Detects a malicious Worm Andromeda / RETADUP;http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/;2017-06-30 00:00:00;70;Florian Roth;MAL,FILE,EXE +Andromeda_MalBot_Jun_1A;Detects a malicious Worm Andromeda / RETADUP;http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/;2017-06-30 00:00:00;70;Florian Roth;MAL,EXE,FILE TA17_293A_malware_1;inveigh pen testing tools & related artifacts;https://www.us-cert.gov/ncas/alerts/TA17-293A;2017-07-17 00:00:00;70;US-CERT Code Analysis Team (modified by Florian Roth); TA17_293A_malware_2;rule detects malware;https://www.us-cert.gov/ncas/alerts/TA17-293A;1970-01-01 01:00:00;70;other; TA17_293A_Query_XML_Code_MAL_DOC_PT_2;-;https://www.us-cert.gov/ncas/alerts/TA17-293A;1970-01-01 01:00:00;70;other (modified by Florian Roth);FILE TA17_293A_Query_XML_Code_MAL_DOC;-;https://www.us-cert.gov/ncas/alerts/TA17-293A;1970-01-01 01:00:00;70;other (modified by Florian Roth);FILE TA17_293A_Query_Javascript_Decode_Function;-;https://www.us-cert.gov/ncas/alerts/TA17-293A;1970-01-01 01:00:00;70;other (modified by Florian Roth); TA17_293A_Hacktool_PS_1;Auto-generated rule - file 72a28efb6e32e653b656ca32ccd44b3111145a695f6f6161965deebbdc437076;https://www.us-cert.gov/ncas/alerts/TA17-293A;2017-10-21 00:00:00;70;Florian Roth;HKTL -TA17_293A_Hacktool_Touch_MAC_modification;Auto-generated rule - file 070d7082a5abe1112615877214ec82241fd17e5bd465e24d794a470f699af88e;https://www.us-cert.gov/ncas/alerts/TA17-293A;2017-10-21 00:00:00;70;Florian Roth;HKTL,FILE,EXE +TA17_293A_Hacktool_Touch_MAC_modification;Auto-generated rule - file 070d7082a5abe1112615877214ec82241fd17e5bd465e24d794a470f699af88e;https://www.us-cert.gov/ncas/alerts/TA17-293A;2017-10-21 00:00:00;70;Florian Roth;EXE,HKTL,FILE TA17_293A_Hacktool_Exploit_MS16_032;Auto-generated rule - file 9b97290300abb68fb48480718e6318ee2cdd4f099aa6438010fb2f44803e0b58;https://www.us-cert.gov/ncas/alerts/TA17-293A;2017-10-21 00:00:00;70;Florian Roth;HKTL -Imphash_UPX_Packed_Malware_1_TA17_293A;Detects malware based on Imphash of malware used in TA17-293A;https://www.us-cert.gov/ncas/alerts/TA17-293A;2017-10-21 00:00:00;70;Florian Roth;MAL,FILE,EXE -Imphash_Malware_2_TA17_293A;Detects malware based on Imphash of malware used in TA17-293A;https://www.us-cert.gov/ncas/alerts/TA17-293A;2017-10-21 00:00:00;70;Florian Roth;MAL,FILE,EXE -SUSP_Microsoft_7z_SFX_Combo;Detects a suspicious file that has a Microsoft copyright and is a 7z SFX;Internal Research;2018-09-16 00:00:00;70;Florian Roth;FILE,EXE -SUSP_Microsoft_RAR_SFX_Combo;Detects a suspicious file that has a Microsoft copyright and is a RAR SFX;Internal Research;2018-09-16 00:00:00;70;Florian Roth;FILE,EXE -PS_AMSI_Bypass;Detects PowerShell AMSI Bypass;https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1;2017-07-19 00:00:00;65;Florian Roth;SCRIPT,SCRIPTS -JS_Suspicious_Obfuscation_Dropbox;Detects PowerShell AMSI Bypass;https://twitter.com/ItsReallyNick/status/887705105239343104;2017-07-19 00:00:00;70;Florian Roth;SCRIPT,OBFUS,SCRIPTS +Imphash_UPX_Packed_Malware_1_TA17_293A;Detects malware based on Imphash of malware used in TA17-293A;https://www.us-cert.gov/ncas/alerts/TA17-293A;2017-10-21 00:00:00;70;Florian Roth;MAL,EXE,FILE +Imphash_Malware_2_TA17_293A;Detects malware based on Imphash of malware used in TA17-293A;https://www.us-cert.gov/ncas/alerts/TA17-293A;2017-10-21 00:00:00;70;Florian Roth;MAL,EXE,FILE +SUSP_Microsoft_7z_SFX_Combo;Detects a suspicious file that has a Microsoft copyright and is a 7z SFX;Internal Research;2018-09-16 00:00:00;70;Florian Roth;EXE,FILE +SUSP_Microsoft_RAR_SFX_Combo;Detects a suspicious file that has a Microsoft copyright and is a RAR SFX;Internal Research;2018-09-16 00:00:00;70;Florian Roth;EXE,FILE +PS_AMSI_Bypass;Detects PowerShell AMSI Bypass;https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1;2017-07-19 00:00:00;65;Florian Roth;SCRIPTS,SCRIPT +JS_Suspicious_Obfuscation_Dropbox;Detects PowerShell AMSI Bypass;https://twitter.com/ItsReallyNick/status/887705105239343104;2017-07-19 00:00:00;70;Florian Roth;SCRIPTS,OBFUS,SCRIPT JS_Suspicious_MSHTA_Bypass;Detects MSHTA Bypass;https://twitter.com/ItsReallyNick/status/887705105239343104;2017-07-19 00:00:00;70;Florian Roth;SCRIPTS JavaScript_Run_Suspicious;Detects a suspicious Javascript Run command;https://twitter.com/craiu/status/900314063560998912;2017-08-23 00:00:00;60;Florian Roth;SCRIPTS -Certutil_Decode_OR_Download;Certutil Decode;Internal Research;2017-08-29 00:00:00;40;Florian Roth;EXTVAR,SCRIPTS +Certutil_Decode_OR_Download;Certutil Decode;Internal Research;2017-08-29 00:00:00;40;Florian Roth;SCRIPTS,EXTVAR Suspicious_JS_script_content;Detects suspicious statements in JavaScript files;Research on Leviathan https://goo.gl/MZ7dRg;2017-12-02 00:00:00;70;Florian Roth;SCRIPTS Universal_Exploit_Strings;Detects a group of strings often used in exploit codes;not set;2017-12-02 00:00:00;50;Florian Roth;SCRIPTS -VBS_Obfuscated_Mal_Feb18_1;Detects malicious obfuscated VBS observed in February 2018;https://goo.gl/zPsn83;2018-02-12 00:00:00;70;Florian Roth;SCRIPT,OBFUS,SCRIPTS +VBS_Obfuscated_Mal_Feb18_1;Detects malicious obfuscated VBS observed in February 2018;https://goo.gl/zPsn83;2018-02-12 00:00:00;70;Florian Roth;SCRIPTS,OBFUS,SCRIPT merlinAgent;Detects Merlin agent;https://github.com/Ne0nd0g/merlin;2017-12-26 00:00:00;70;Hilko Bengen; StreamEx_ShellCrew;Detects a ;https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar;2017-02-09 00:00:00;80;Cylance; -ShellCrew_StreamEx_1;Auto-generated rule - file 81f411415aefa5ad7f7ed2365d9a18d0faf33738617afc19215b69c23f212c07;https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar;2017-02-10 00:00:00;70;Florian Roth;FILE,EXE -ShellCrew_StreamEx_1_msi;Auto-generated rule - file msi.dll;https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar;2017-02-10 00:00:00;70;Florian Roth;FILE,EXE +ShellCrew_StreamEx_1;Auto-generated rule - file 81f411415aefa5ad7f7ed2365d9a18d0faf33738617afc19215b69c23f212c07;https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar;2017-02-10 00:00:00;70;Florian Roth;EXE,FILE +ShellCrew_StreamEx_1_msi;Auto-generated rule - file msi.dll;https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar;2017-02-10 00:00:00;70;Florian Roth;EXE,FILE ShellCrew_StreamEx_1_msi_dll;Auto-generated rule - file msi.dll.eng;https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar;2017-02-10 00:00:00;70;Florian Roth;FILE -Metasploit_Loader_RSMudge;Detects a Metasploit Loader by RSMudge - file loader.exe;https://github.com/rsmudge/metasploit-loader;2016-04-20 00:00:00;70;Florian Roth;METASPLOIT,FILE,EXE -CN_Tools_xbat;Chinese Hacktool Set - file xbat.vbs;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,SCRIPTS -CN_Tools_Temp;Chinese Hacktool Set - file Temp.war;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,SCRIPTS -CN_Tools_srss;Chinese Hacktool Set - file srss.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,SCRIPTS -dll_UnReg;Chinese Hacktool Set - file UnReg.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,SCRIPTS -dll_Reg;Chinese Hacktool Set - file Reg.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,SCRIPTS -sbin_squid;Chinese Hacktool Set - file squid.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,SCRIPTS -sql1433_creck;Chinese Hacktool Set - file creck.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,FILE,SCRIPTS -sql1433_Start;Chinese Hacktool Set - file Start.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,SCRIPTS -Sofacy_Malware_StrangeSpaces;Detetcs strange strings from Sofacy malware with many spaces;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;RUSSIA,MAL,FILE,EXE -Sofacy_Malware_AZZY_Backdoor_1;AZZY Backdoor - Sample 1;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;MAL,FILE,EXE -Sofacy_AZZY_Backdoor_Implant_1;AZZY Backdoor Implant 4.3 - Sample 1;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;MAL,FILE,EXE -Sofacy_AZZY_Backdoor_HelperDLL;Dropped C&C helper DLL for AZZY 4.3;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;MAL,FILE,EXE -Sofacy_CollectorStealer_Gen1;Generic rule to detect Sofacy Malware Collector Stealer;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;EXE,FILE,RUSSIA,GEN,MAL -Sofacy_CollectorStealer_Gen2;File collectors / USB stealers - Generic;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;GEN,FILE,EXE -Sofacy_CollectorStealer_Gen3;File collectors / USB stealers - Generic;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;GEN,FILE,EXE -Flash_CVE_2015_5119_APT3_leg;Exploit Sample CVE-2015-5119;-;2015-08-01 00:00:00;70;Florian Roth;FILE,EXPLOIT +Metasploit_Loader_RSMudge;Detects a Metasploit Loader by RSMudge - file loader.exe;https://github.com/rsmudge/metasploit-loader;2016-04-20 00:00:00;70;Florian Roth;EXE,METASPLOIT,FILE +CN_Tools_xbat;Chinese Hacktool Set - file xbat.vbs;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;SCRIPTS,CHINA,HKTL,FILE +CN_Tools_Temp;Chinese Hacktool Set - file Temp.war;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;SCRIPTS,CHINA,HKTL,FILE +CN_Tools_srss;Chinese Hacktool Set - file srss.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;SCRIPTS,CHINA,HKTL +dll_UnReg;Chinese Hacktool Set - file UnReg.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;SCRIPTS,CHINA,HKTL +dll_Reg;Chinese Hacktool Set - file Reg.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;SCRIPTS,CHINA,HKTL +sbin_squid;Chinese Hacktool Set - file squid.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;SCRIPTS,CHINA,HKTL +sql1433_creck;Chinese Hacktool Set - file creck.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;SCRIPTS,CHINA,HKTL,FILE +sql1433_Start;Chinese Hacktool Set - file Start.bat;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;SCRIPTS,CHINA,HKTL +Sofacy_Malware_StrangeSpaces;Detetcs strange strings from Sofacy malware with many spaces;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;MAL,EXE,RUSSIA,FILE +Sofacy_Malware_AZZY_Backdoor_1;AZZY Backdoor - Sample 1;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;MAL,EXE,FILE +Sofacy_AZZY_Backdoor_Implant_1;AZZY Backdoor Implant 4.3 - Sample 1;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;MAL,EXE,FILE +Sofacy_AZZY_Backdoor_HelperDLL;Dropped C&C helper DLL for AZZY 4.3;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;MAL,EXE,FILE +Sofacy_CollectorStealer_Gen1;Generic rule to detect Sofacy Malware Collector Stealer;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;EXE,RUSSIA,MAL,GEN,FILE +Sofacy_CollectorStealer_Gen2;File collectors / USB stealers - Generic;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;GEN,EXE,FILE +Sofacy_CollectorStealer_Gen3;File collectors / USB stealers - Generic;https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/;2015-12-04 00:00:00;70;Florian Roth;GEN,EXE,FILE +Flash_CVE_2015_5119_APT3_leg;Exploit Sample CVE-2015-5119;-;2015-08-01 00:00:00;70;Florian Roth;EXPLOIT,FILE Cobaltgang_PDF_Metadata_Rev_A;Find documents saved from the same potential Cobalt Gang PDF template;https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/;2018-10-25 00:00:00;70;Palo Alto Networks Unit 42; -Sofacy_Fybis_ELF_Backdoor_Gen1;Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1;http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/;2016-02-13 00:00:00;80;Florian Roth;LINUX,APT,FILE,RUSSIA,MAL -Sofacy_Fysbis_ELF_Backdoor_Gen2;Detects Sofacy Fysbis Linux Backdoor;http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/;2016-02-13 00:00:00;80;Florian Roth;MAL,FILE,RUSSIA,LINUX -WinRAR_SFX_Anomaly;Detects WinRAR SFX content with the product name of major vendor's tools (sus);-;2016-03-24 00:00:00;30;Florian Roth;FILE,EXE +Sofacy_Fybis_ELF_Backdoor_Gen1;Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1;http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/;2016-02-13 00:00:00;80;Florian Roth;LINUX,RUSSIA,MAL,APT,FILE +Sofacy_Fysbis_ELF_Backdoor_Gen2;Detects Sofacy Fysbis Linux Backdoor;http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/;2016-02-13 00:00:00;80;Florian Roth;MAL,LINUX,RUSSIA,FILE +WinRAR_SFX_Anomaly;Detects WinRAR SFX content with the product name of major vendor's tools (sus);-;2016-03-24 00:00:00;30;Florian Roth;EXE,FILE HTA_with_WScript_Shell;Detects WScript Shell in HTA;https://twitter.com/msftmmpc/status/877396932758560768;2017-06-21 00:00:00;80;Florian Roth; HTA_Embedded;Detects an embedded HTA file;https://twitter.com/msftmmpc/status/877396932758560768;2017-06-21 00:00:00;50;Florian Roth; -APT_Thrip_Sample_Jun18_1;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_2;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_3;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_4;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_5;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_6;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_7;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE +APT_Thrip_Sample_Jun18_1;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_2;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_3;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_4;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_5;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_6;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_7;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE APT_Thrip_Sample_Jun18_8;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth; -APT_Thrip_Sample_Jun18_9;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_10;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_11;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_12;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_13;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_14;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_15;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_16;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_17;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -APT_Thrip_Sample_Jun18_18;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;FILE,EXE -Explosive_EXE;Explosion/Explosive Malware - Volatile Cedar APT;-;1970-01-01 01:00:00;70;Check Point Software Technologies Inc.;MIDDLE_EAST,MAL,FILE,APT -Explosion_Sample_1;Explosion/Explosive Malware - Volatile Cedar APT;http://goo.gl/5vYaNb;2015-04-03 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE,APT -Explosion_Sample_2;Explosion/Explosive Malware - Volatile Cedar APT;http://goo.gl/5vYaNb;2015-04-03 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE,APT -Explosion_Generic_1;Generic Rule for Explosion/Explosive Malware - Volatile Cedar APT;not set;2015-04-03 00:00:00;70;Florian Roth;MIDDLE_EAST,APT,FILE,GEN,MAL -Explosive_UA;Explosive Malware Embedded User Agent - Volatile Cedar APT http://goo.gl/HQRCdw;http://goo.gl/HQRCdw;2015-04-03 00:00:00;60;Florian Roth;MIDDLE_EAST,MAL,FILE,APT -Webshell_Caterpillar_ASPX;Volatile Cedar Webshell - from file caterpillar.aspx;http://goo.gl/emons5;2015-04-03 00:00:00;70;Florian Roth;MIDDLE_EAST,WEBSHELL +APT_Thrip_Sample_Jun18_9;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_10;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_11;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_12;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_13;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_14;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_15;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_16;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_17;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +APT_Thrip_Sample_Jun18_18;Detects sample found in Thrip report by Symantec ;https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets ;2018-06-21 00:00:00;70;Florian Roth;EXE,FILE +Explosive_EXE;Explosion/Explosive Malware - Volatile Cedar APT;-;1970-01-01 01:00:00;70;Check Point Software Technologies Inc.;MAL,APT,MIDDLE_EAST,FILE +Explosion_Sample_1;Explosion/Explosive Malware - Volatile Cedar APT;http://goo.gl/5vYaNb;2015-04-03 00:00:00;70;Florian Roth;MAL,APT,MIDDLE_EAST,FILE +Explosion_Sample_2;Explosion/Explosive Malware - Volatile Cedar APT;http://goo.gl/5vYaNb;2015-04-03 00:00:00;70;Florian Roth;MAL,APT,MIDDLE_EAST,FILE +Explosion_Generic_1;Generic Rule for Explosion/Explosive Malware - Volatile Cedar APT;not set;2015-04-03 00:00:00;70;Florian Roth;MAL,GEN,APT,MIDDLE_EAST,FILE +Explosive_UA;Explosive Malware Embedded User Agent - Volatile Cedar APT http://goo.gl/HQRCdw;http://goo.gl/HQRCdw;2015-04-03 00:00:00;60;Florian Roth;MAL,APT,MIDDLE_EAST,FILE +Webshell_Caterpillar_ASPX;Volatile Cedar Webshell - from file caterpillar.aspx;http://goo.gl/emons5;2015-04-03 00:00:00;70;Florian Roth;WEBSHELL,MIDDLE_EAST malware_sakula_xorloop;XOR loops from Sakula malware;-;1970-01-01 01:00:00;70;David Cannings; malware_sakula_memory;Sakula malware - strings after unpacking (memory rule);-;1970-01-01 01:00:00;70;David Cannings; malware_sakula_shellcode;Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula;-;1970-01-01 01:00:00;70;David Cannings; -TempRacer;Detects privilege escalation tool - file TempRacer.exe;http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/;2016-03-30 00:00:00;70;Florian Roth;FILE,EXE +TempRacer;Detects privilege escalation tool - file TempRacer.exe;http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/;2016-03-30 00:00:00;70;Florian Roth;EXE,FILE Dexter_Malware;Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b;http://goo.gl/oBvy8b;2015-02-10 00:00:00;70;Florian Roth;MAL -Impacket_Tools_tracer;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_wmiexec;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_sniffer;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_mmcexec;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_ifmap;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -karmaSMB;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -samrdump;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_rpcdump;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_secretsdump;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_esentutl;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_opdump;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_sniff;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_smbexec;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_goldenPac;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_netview;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_smbtorture;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_mimikatz;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_smbrelayx;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_wmipersist;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_lookupsid;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_wmiquery;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_atexec;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_psexec;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;FILE,EXE -Impacket_Tools_Generic_1;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;GEN,FILE,EXE -Impacket_Lateral_Movement;Detects Impacket Network Aktivity for Lateral Movement;https://github.com/CoreSecurity/impacket;2018-03-22 00:00:00;60;Markus Neis;FILE,EXE -Generic_Dropper;Detects Dropper PDB string in file;https://goo.gl/JAHZVL;2018-03-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -Acrotray_Anomaly;Detects an acrotray.exe that does not contain the usual strings;-;1970-01-01 01:00:00;75;Florian Roth;EXTVAR,FILE,EXE -COZY_FANCY_BEAR_modified_VmUpgradeHelper;Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report;https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/;2016-06-14 00:00:00;70;Florian Roth;EXTVAR,RUSSIA,FILE,EXE -IronTiger_Gh0stRAT_variant;This is a detection for a s.exe variant seen in Op. Iron Tiger;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;EXTVAR,INDIA,FILE,EXE +Impacket_Tools_tracer;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_wmiexec;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_sniffer;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_mmcexec;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_ifmap;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +karmaSMB;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +samrdump;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_rpcdump;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_secretsdump;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_esentutl;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_opdump;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_sniff;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_smbexec;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_goldenPac;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_netview;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_smbtorture;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_mimikatz;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_smbrelayx;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_wmipersist;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_lookupsid;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_wmiquery;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_atexec;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_psexec;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;EXE,FILE +Impacket_Tools_Generic_1;Compiled Impacket Tools;https://github.com/maaaaz/impacket-examples-windows;2017-04-07 00:00:00;70;Florian Roth;GEN,EXE,FILE +Impacket_Lateral_Movement;Detects Impacket Network Aktivity for Lateral Movement;https://github.com/CoreSecurity/impacket;2018-03-22 00:00:00;60;Markus Neis;EXE,FILE +Generic_Dropper;Detects Dropper PDB string in file;https://goo.gl/JAHZVL;2018-03-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +Acrotray_Anomaly;Detects an acrotray.exe that does not contain the usual strings;-;1970-01-01 01:00:00;75;Florian Roth;EXTVAR,EXE,FILE +COZY_FANCY_BEAR_modified_VmUpgradeHelper;Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report;https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/;2016-06-14 00:00:00;70;Florian Roth;EXTVAR,EXE,RUSSIA,FILE +IronTiger_Gh0stRAT_variant;This is a detection for a s.exe variant seen in Op. Iron Tiger;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;EXTVAR,EXE,INDIA,FILE OpCloudHopper_Cloaked_PSCP;Tool used in Operation Cloud Hopper - pscp.exe cloaked as rundll32.exe;https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf;2017-04-07 00:00:00;90;Florian Roth;EXTVAR -msi_dll_Anomaly;Detetcs very small and supicious msi.dll;https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar;2017-02-10 00:00:00;70;Florian Roth;EXTVAR,FILE,EXE -PoS_Malware_MalumPOS_Config;MalumPOS Config File;http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/;2015-06-25 00:00:00;70;Florian Roth;EXTVAR,MAL -Malware_QA_update_test;VT Research QA uploaded malware - file update_.exe;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;EXTVAR,FILE,EXE -SysInterals_PipeList_NameChanged;Detects NirSoft PipeList;https://goo.gl/Mr6M2J;2016-06-04 00:00:00;90;Florian Roth;EXTVAR,FILE,EXE +msi_dll_Anomaly;Detetcs very small and supicious msi.dll;https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar;2017-02-10 00:00:00;70;Florian Roth;EXTVAR,EXE,FILE +PoS_Malware_MalumPOS_Config;MalumPOS Config File;http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/;2015-06-25 00:00:00;70;Florian Roth;MAL,EXTVAR +Malware_QA_update_test;VT Research QA uploaded malware - file update_.exe;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;EXTVAR,EXE,FILE +SysInterals_PipeList_NameChanged;Detects NirSoft PipeList;https://goo.gl/Mr6M2J;2016-06-04 00:00:00;90;Florian Roth;EXTVAR,EXE,FILE SCT_Scriptlet_in_Temp_Inet_Files;Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass);http://goo.gl/KAB8Jw;2016-04-26 00:00:00;70;Florian Roth;EXTVAR,FILE GIFCloaked_Webshell_A;Looks like a webshell cloaked as GIF;-;1970-01-01 01:00:00;60;Florian Roth;WEBSHELL exploit_ole_stdolelink;StdOleLink, potential 0day in April 2017;-;1970-01-01 01:00:00;55;David Cannings;EXTVAR -HackTool_Producers;Hacktool Producers String;-;1970-01-01 01:00:00;50;-;EXTVAR,HKTL,FILE,EXE -Exe_Cloaked_as_ThumbsDb;Detects an executable cloaked as thumbs.db - Malware;-;2014-07-18 00:00:00;50;Florian Roth;EXTVAR,MAL,FILE,EXE -Fake_AdobeReader_EXE;Detects an fake AdobeReader executable based on filesize OR missing strings in file;-;2014-09-11 00:00:00;50;Florian Roth;EXTVAR,FILE,EXE -Fake_FlashPlayerUpdaterService_EXE;Detects an fake AdobeReader executable based on filesize OR missing strings in file;-;2014-09-11 00:00:00;50;Florian Roth;EXTVAR,FILE,EXE +HackTool_Producers;Hacktool Producers String;-;1970-01-01 01:00:00;50;-;EXTVAR,EXE,HKTL,FILE +Exe_Cloaked_as_ThumbsDb;Detects an executable cloaked as thumbs.db - Malware;-;2014-07-18 00:00:00;50;Florian Roth;EXTVAR,EXE,MAL,FILE +Fake_AdobeReader_EXE;Detects an fake AdobeReader executable based on filesize OR missing strings in file;-;2014-09-11 00:00:00;50;Florian Roth;EXTVAR,EXE,FILE +Fake_FlashPlayerUpdaterService_EXE;Detects an fake AdobeReader executable based on filesize OR missing strings in file;-;2014-09-11 00:00:00;50;Florian Roth;EXTVAR,EXE,FILE mimikatz_lsass_mdmp;LSASS minidump file for mimikatz;-;1970-01-01 01:00:00;70;Benjamin DELPY (gentilkiwi);EXTVAR,FILE -lsadump;LSA dump programe (bootkey/syskey) - pwdump and others;-;1970-01-01 01:00:00;80;Benjamin DELPY (gentilkiwi);EXTVAR,FILE,EXE -APT_DarkHydrus_Jul18_1;Detects strings found in malware samples in APT report in DarkHydrus;https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/;2018-07-28 00:00:00;70;Florian Roth;MIDDLE_EAST,APT,FILE,EXE -APT_DarkHydrus_Jul18_2;Detects strings found in malware samples in APT report in DarkHydrus;https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/;2018-07-28 00:00:00;70;Florian Roth;MIDDLE_EAST,APT,FILE,EXE -APT_DarkHydrus_Jul18_3;Detects strings found in malware samples in APT report in DarkHydrus;https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/;2018-07-28 00:00:00;70;Florian Roth;MIDDLE_EAST,APT,FILE,EXE -APT_DarkHydrus_Jul18_4;Detects strings found in malware samples in APT report in DarkHydrus;https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/;2018-07-28 00:00:00;70;Florian Roth;MIDDLE_EAST,APT,FILE,EXE -APT_DarkHydrus_Jul18_5;Detects strings found in malware samples in APT report in DarkHydrus;https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/;2018-07-28 00:00:00;70;Florian Roth;MIDDLE_EAST,APT,FILE,EXE -BeepService_Hacktool;Detects BeepService Hacktool used by Chinese APT groups;https://goo.gl/p32Ozf;2016-05-12 00:00:00;85;Florian Roth;APT,EXE,CHINA,FILE,HKTL -Elise_Jan18_1;Detects Elise malware samples - fake Norton Security NavShExt.dll;https://twitter.com/blu3_team/status/955971742329135105;2018-01-24 00:00:00;70;Florian Roth;FILE,EXE -LokiBot_Dropper_ScanCopyPDF_Feb18;Auto-generated rule - file Scan Copy.pdf.com;https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5;2018-02-14 00:00:00;70;Florian Roth;MAL,FILE,EXE +lsadump;LSA dump programe (bootkey/syskey) - pwdump and others;-;1970-01-01 01:00:00;80;Benjamin DELPY (gentilkiwi);EXTVAR,EXE,FILE +APT_DarkHydrus_Jul18_1;Detects strings found in malware samples in APT report in DarkHydrus;https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/;2018-07-28 00:00:00;70;Florian Roth;EXE,APT,MIDDLE_EAST,FILE +APT_DarkHydrus_Jul18_2;Detects strings found in malware samples in APT report in DarkHydrus;https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/;2018-07-28 00:00:00;70;Florian Roth;EXE,APT,MIDDLE_EAST,FILE +APT_DarkHydrus_Jul18_3;Detects strings found in malware samples in APT report in DarkHydrus;https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/;2018-07-28 00:00:00;70;Florian Roth;EXE,APT,MIDDLE_EAST,FILE +APT_DarkHydrus_Jul18_4;Detects strings found in malware samples in APT report in DarkHydrus;https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/;2018-07-28 00:00:00;70;Florian Roth;EXE,APT,MIDDLE_EAST,FILE +APT_DarkHydrus_Jul18_5;Detects strings found in malware samples in APT report in DarkHydrus;https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/;2018-07-28 00:00:00;70;Florian Roth;EXE,APT,MIDDLE_EAST,FILE +BeepService_Hacktool;Detects BeepService Hacktool used by Chinese APT groups;https://goo.gl/p32Ozf;2016-05-12 00:00:00;85;Florian Roth;EXE,CHINA,HKTL,APT,FILE +Elise_Jan18_1;Detects Elise malware samples - fake Norton Security NavShExt.dll;https://twitter.com/blu3_team/status/955971742329135105;2018-01-24 00:00:00;70;Florian Roth;EXE,FILE +LokiBot_Dropper_ScanCopyPDF_Feb18;Auto-generated rule - file Scan Copy.pdf.com;https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5;2018-02-14 00:00:00;70;Florian Roth;MAL,EXE,FILE LokiBot_Dropper_Packed_R11_Feb18;Auto-generated rule - file scan copy.pdf.r11;https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5;2018-02-14 00:00:00;70;Florian Roth;MAL,FILE VisualDiscovery_Lonovo_Superfish_SSL_Hijack;Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe;https://twitter.com/4nc4p/status/568325493558272000;2015-02-19 00:00:00;70;Florian Roth / improved by kbandla; -HiddenCobra_BANKSHOT_Gen;Detects Hidden Cobra BANKSHOT trojan;https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity;2017-12-26 00:00:00;70;Florian Roth;NK,FILE,EXE +HiddenCobra_BANKSHOT_Gen;Detects Hidden Cobra BANKSHOT trojan;https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity;2017-12-26 00:00:00;70;Florian Roth;EXE,NK,FILE Unauthorized_Proxy_Server_RAT;-;https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity;1970-01-01 01:00:00;70;US-CERT Code Analysis Team;HKTL Invoke_Mimikatz;Detects Invoke-Mimikatz String;https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz;2016-08-03 00:00:00;70;Florian Roth; -Upatre_Hazgurut;Detects Upatre malware - file hazgurut.exe;https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3?environmentId=7;2015-10-13 00:00:00;70;Florian Roth;FILE,EXE +Upatre_Hazgurut;Detects Upatre malware - file hazgurut.exe;https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3?environmentId=7;2015-10-13 00:00:00;70;Florian Roth;EXE,FILE HKTL_PowerSploit;Detects default strings used by PowerSploit to establish persistence;https://www.hybrid-analysis.com/sample/16937e76db6d88ed0420ee87317424af2d4e19117fe12d1364fee35aa2fadb75?environmentId=100;2018-06-23 00:00:00;70;Markus Neis; -FVEY_ShadowBroker_Auct_Dez16_Strings;String from the ShodowBroker Files Screenshots - Dec 2016;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;60;Florian Roth;HKTL,FILE,EXE +FVEY_ShadowBroker_Auct_Dez16_Strings;String from the ShodowBroker Files Screenshots - Dec 2016;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;60;Florian Roth;EXE,HKTL,FILE FVEY_ShadowBroker_violetspirit;Auto-generated rule - file violetspirit.README;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;HKTL FVEY_ShadowBroker_gr_gr;Auto-generated rule - file gr.notes;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;HKTL FVEY_ShadowBroker_user_tool_yellowspirit;Auto-generated rule - file user.tool.yellowspirit.COMMON;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;HKTL @@ -1618,13 +1619,13 @@ FVEY_ShadowBroker_README_cup;Auto-generated rule - file README.cup.NOPEN;https:/ FVEY_ShadowBroker_nopen_oneshot;Auto-generated rule - file oneshot.example;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;HKTL FVEY_ShadowBroker_user_tool_earlyshovel;Auto-generated rule - file user.tool.earlyshovel.COMMON;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;HKTL FVEY_ShadowBroker_user_tool_envisioncollision;Auto-generated rule - file user.tool.envisioncollision.COMMON;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;HKTL -FVEY_ShadowBroker_Gen_Readme1;Auto-generated rule;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;HKTL,GEN -FVEY_ShadowBroker_Gen_Readme2;Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;HKTL,GEN -FVEY_ShadowBroker_Gen_Readme3;Auto-generated rule;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;HKTL,GEN -FVEY_ShadowBroker_Gen_Readme4;Auto-generated rule - from files violetspirit.README, violetspirit.README;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;HKTL,GEN +FVEY_ShadowBroker_Gen_Readme1;Auto-generated rule;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;GEN,HKTL +FVEY_ShadowBroker_Gen_Readme2;Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;GEN,HKTL +FVEY_ShadowBroker_Gen_Readme3;Auto-generated rule;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;GEN,HKTL +FVEY_ShadowBroker_Gen_Readme4;Auto-generated rule - from files violetspirit.README, violetspirit.README;https://bit.no.com:43110/theshadowbrokers.bit/post/message6/;2016-12-17 00:00:00;70;Florian Roth;GEN,HKTL gen_macro_ShellExecute_action;VBA macro technique to call ShellExecute to launch payload;https://twitter.com/StanHacked/status/1075088449768693762;2019-01-08 00:00:00;70;John Lambert @JohnLaTwC;SCRIPT,FILE -Winnti_fonfig;Winnti sample - file fonfig.exe;https://goo.gl/VbvJtL;2017-01-25 00:00:00;70;Florian Roth;CHINA,FILE,EXE -Winnti_NlaifSvc;Winnti sample - file NlaifSvc.dll;https://goo.gl/VbvJtL;2017-01-25 00:00:00;70;Florian Roth;CHINA,FILE,EXE +Winnti_fonfig;Winnti sample - file fonfig.exe;https://goo.gl/VbvJtL;2017-01-25 00:00:00;70;Florian Roth;EXE,CHINA,FILE +Winnti_NlaifSvc;Winnti sample - file NlaifSvc.dll;https://goo.gl/VbvJtL;2017-01-25 00:00:00;70;Florian Roth;EXE,CHINA,FILE CN_Honker_mafix_root;Script from disclosed CN Honker Pentest Toolset - file root;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS CN_Honker_passwd_dict_3389;Script from disclosed CN Honker Pentest Toolset - file 3389.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS CN_Honker_Perl_serv_U;Script from disclosed CN Honker Pentest Toolset - file Perl-serv-U.pl;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS @@ -1637,16 +1638,16 @@ CN_Honker_portRecall_pr;Script from disclosed CN Honker Pentest Toolset - file p CN_Honker_sig_3389_3389_3;Script from disclosed CN Honker Pentest Toolset - file 3389.bat;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS CN_Honker_Alien_D;Script from disclosed CN Honker Pentest Toolset - file D.ASP;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS CN_Honker_ChinaChopper_db;Script from disclosed CN Honker Pentest Toolset - file db.mdb;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS -CN_Honker_syconfig;Script from disclosed CN Honker Pentest Toolset - file syconfig.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,SCRIPTS +CN_Honker_syconfig;Script from disclosed CN Honker Pentest Toolset - file syconfig.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS,FILE CN_Honker_linux_bin;Script from disclosed CN Honker Pentest Toolset - file linux_bin;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS -CN_Honker_Intersect2_Beta;Script from disclosed CN Honker Pentest Toolset - file Intersect2-Beta.py;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,SCRIPTS +CN_Honker_Intersect2_Beta;Script from disclosed CN Honker Pentest Toolset - file Intersect2-Beta.py;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS,FILE CN_Honker_IIS_logcleaner1_0_readme;Script from disclosed CN Honker Pentest Toolset - file readme.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS CN_Honker_Alien_command;Script from disclosed CN Honker Pentest Toolset - file command.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS CN_Honker_portRecall_bc;Script from disclosed CN Honker Pentest Toolset - file bc.pl;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS CN_Honker_Tuoku_script_MSSQL_;Script from disclosed CN Honker Pentest Toolset - file MSSQL_.asp;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS CN_Honker_nc_MOVE;Script from disclosed CN Honker Pentest Toolset - file MOVE.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS CN_Honker_mssqlpw_scan;Script from disclosed CN Honker Pentest Toolset - file mssqlpw scan.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPTS -OilRig_RGDoor_Gen1;Detects RGDoor backdoor used by OilRig group;https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/;2018-01-27 00:00:00;80;Florian Roth;MIDDLE_EAST,MAL,FILE,EXE +OilRig_RGDoor_Gen1;Detects RGDoor backdoor used by OilRig group;https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/;2018-01-27 00:00:00;80;Florian Roth;MAL,EXE,MIDDLE_EAST,FILE Empire_Invoke_MetasploitPayload;Detects Empire component - file Invoke-MetasploitPayload.ps1;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;METASPLOIT,FILE Empire_Exploit_Jenkins;Detects Empire component - file Exploit-Jenkins.ps1;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;FILE Empire_Get_SecurityPackages;Detects Empire component - file Get-SecurityPackages.ps1;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;FILE @@ -1660,7 +1661,7 @@ Empire_Invoke_SmbScanner;Detects Empire component - file Invoke-SmbScanner.ps1;h Empire_Exploit_JBoss;Detects Empire component - file Exploit-JBoss.ps1;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;FILE Empire_dumpCredStore;Detects Empire component - file dumpCredStore.ps1;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;FILE Empire_Invoke_EgressCheck;Detects Empire component - file Invoke-EgressCheck.ps1;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;FILE -Empire_ReflectivePick_x64_orig;Detects Empire component - file ReflectivePick_x64_orig.dll;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;FILE,EXE +Empire_ReflectivePick_x64_orig;Detects Empire component - file ReflectivePick_x64_orig.dll;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;EXE,FILE Empire_Out_Minidump;Detects Empire component - file Out-Minidump.ps1;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;FILE Empire_Invoke_PsExec;Detects Empire component - file Invoke-PsExec.ps1;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;FILE Empire_Invoke_PostExfil;Detects Empire component - file Invoke-PostExfil.ps1;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;FILE @@ -1681,253 +1682,253 @@ Empire_PowerShell_Framework_Gen4;Detects Empire component;https://github.com/ada Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen;Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;HKTL,FILE Empire_Invoke_Gen;Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;HKTL,FILE Empire_PowerShell_Framework_Gen5;Detects Empire component;https://github.com/adaptivethreat/Empire;2016-11-05 00:00:00;70;Florian Roth;SCRIPT,FILE -Microcin_Sample_1;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,FILE,EXE -Microcin_Sample_2;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,FILE,EXE -Microcin_Sample_3;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,FILE,EXE -Microcin_Sample_4;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,FILE,EXE -Microcin_Sample_5;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,FILE,EXE -Microcin_Sample_6;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,FILE,EXE +Microcin_Sample_1;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,EXE,FILE +Microcin_Sample_2;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,EXE,FILE +Microcin_Sample_3;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,EXE,FILE +Microcin_Sample_4;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,EXE,FILE +Microcin_Sample_5;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,EXE,FILE +Microcin_Sample_6;Malware sample mentioned in Microcin technical report by Kaspersky;https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf;2017-09-26 00:00:00;70;Florian Roth;MAL,EXE,FILE BernhardPOS;BernhardPOS Credit Card dumping tool;http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick;1970-01-01 01:00:00;70;Nick Hoffman / Jeremy Humble; -PoisonIvy_Sample_APT;Detects a PoisonIvy APT malware group;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;APT,FILE,EXE -PoisonIvy_Sample_APT_2;Detects a PoisonIvy Malware;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -PoisonIvy_Sample_APT_3;Detects a PoisonIvy Malware;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -PoisonIvy_Sample_APT_4;Detects a PoisonIvy Sample APT;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;APT,FILE,EXE -PoisonIvy_Sample_5;Detects PoisonIvy RAT sample set;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -PoisonIvy_Sample_6;Detects PoisonIvy RAT sample set;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -PoisonIvy_Sample_7;Detects PoisonIvy RAT sample set;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -PoisonIvy_RAT_ssMUIDLL;Detects PoisonIvy RAT DLL mentioned in Palo Alto Blog in April 2016;http://goo.gl/WiwtYT;2016-04-22 00:00:00;70;Florian Roth (with the help of yarGen and Binarly);MAL,FILE,EXE -Greenbug_Malware_1;Detects Malware from Greenbug Incident;https://goo.gl/urp4CD;2017-01-25 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE,EXE -Greenbug_Malware_2;Detects Backdoor from Greenbug Incident;https://goo.gl/urp4CD;2017-01-25 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE,EXE -Greenbug_Malware_3;Detects Backdoor from Greenbug Incident;https://goo.gl/urp4CD;2017-01-25 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL -Greenbug_Malware_4;Detects ISMDoor Backdoor;https://goo.gl/urp4CD;2017-01-25 00:00:00;70;Florian Roth;MAL,FILE,EXE -Greenbug_Malware_5;Auto-generated rule;https://goo.gl/urp4CD;2017-01-25 00:00:00;70;Florian Roth;MAL,FILE,EXE -Greenbug_Malware_Nov17_1;Detects Greenbug Malware;http://www.clearskysec.com/greenbug/;2017-11-26 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE,EXE -MAL_GandCrab_Apr18_1;Detects GandCrab malware;https://twitter.com/MarceloRivero/status/988455516094550017;2018-04-23 00:00:00;70;Florian Roth;FILE,EXE +PoisonIvy_Sample_APT;Detects a PoisonIvy APT malware group;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;EXE,APT,FILE +PoisonIvy_Sample_APT_2;Detects a PoisonIvy Malware;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +PoisonIvy_Sample_APT_3;Detects a PoisonIvy Malware;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +PoisonIvy_Sample_APT_4;Detects a PoisonIvy Sample APT;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;EXE,APT,FILE +PoisonIvy_Sample_5;Detects PoisonIvy RAT sample set;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +PoisonIvy_Sample_6;Detects PoisonIvy RAT sample set;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +PoisonIvy_Sample_7;Detects PoisonIvy RAT sample set;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +PoisonIvy_RAT_ssMUIDLL;Detects PoisonIvy RAT DLL mentioned in Palo Alto Blog in April 2016;http://goo.gl/WiwtYT;2016-04-22 00:00:00;70;Florian Roth (with the help of yarGen and Binarly);MAL,EXE,FILE +Greenbug_Malware_1;Detects Malware from Greenbug Incident;https://goo.gl/urp4CD;2017-01-25 00:00:00;70;Florian Roth;MAL,EXE,MIDDLE_EAST,FILE +Greenbug_Malware_2;Detects Backdoor from Greenbug Incident;https://goo.gl/urp4CD;2017-01-25 00:00:00;70;Florian Roth;MAL,EXE,MIDDLE_EAST,FILE +Greenbug_Malware_3;Detects Backdoor from Greenbug Incident;https://goo.gl/urp4CD;2017-01-25 00:00:00;70;Florian Roth;MAL,MIDDLE_EAST +Greenbug_Malware_4;Detects ISMDoor Backdoor;https://goo.gl/urp4CD;2017-01-25 00:00:00;70;Florian Roth;MAL,EXE,FILE +Greenbug_Malware_5;Auto-generated rule;https://goo.gl/urp4CD;2017-01-25 00:00:00;70;Florian Roth;MAL,EXE,FILE +Greenbug_Malware_Nov17_1;Detects Greenbug Malware;http://www.clearskysec.com/greenbug/;2017-11-26 00:00:00;70;Florian Roth;MAL,EXE,MIDDLE_EAST,FILE +MAL_GandCrab_Apr18_1;Detects GandCrab malware;https://twitter.com/MarceloRivero/status/988455516094550017;2018-04-23 00:00:00;70;Florian Roth;EXE,FILE TA17_318A_rc4_stack_key_fallchill;HiddenCobra FallChill - rc4_stack_key;https://www.us-cert.gov/ncas/alerts/TA17-318B;2017-11-15 00:00:00;70;US CERT;NK,FILE TA17_318A_success_fail_codes_fallchill;HiddenCobra FallChill - success_fail_codes;https://www.us-cert.gov/ncas/alerts/TA17-318B;2017-11-15 00:00:00;70;US CERT;NK,FILE -HiddenCobra_FallChill_1;Auto-generated rule - file a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6;https://www.us-cert.gov/ncas/alerts/TA17-318A;2017-11-15 00:00:00;70;Florian Roth;FILE,EXE -HiddenCobra_FallChill_2;Auto-generated rule - file 0a118eb23399000d148186b9079fa59caf4c3faa7e7a8f91533e467ac9b6ff41;https://www.us-cert.gov/ncas/alerts/TA17-318A;2017-11-15 00:00:00;70;Florian Roth;FILE,EXE +HiddenCobra_FallChill_1;Auto-generated rule - file a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6;https://www.us-cert.gov/ncas/alerts/TA17-318A;2017-11-15 00:00:00;70;Florian Roth;EXE,FILE +HiddenCobra_FallChill_2;Auto-generated rule - file 0a118eb23399000d148186b9079fa59caf4c3faa7e7a8f91533e467ac9b6ff41;https://www.us-cert.gov/ncas/alerts/TA17-318A;2017-11-15 00:00:00;70;Florian Roth;EXE,FILE VUL_JQuery_FileUpload_CVE_2018_9206;Detects JQuery File Upload vulnerability CVE-2018-9206;https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/;2018-10-19 00:00:00;70;Florian Roth;EXPLOIT -TidePool_Malware;Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks;http://goo.gl/m2CXWR;2016-05-24 00:00:00;70;Florian Roth;FILE,EXE -EternalRocks_taskhost;Detects EternalRocks Malware - file taskhost.exe;https://twitter.com/stamparm/status/864865144748298242;2017-05-18 00:00:00;70;Florian Roth;MAL,FILE,EXE -EternalRocks_svchost;Detects EternalRocks Malware - file taskhost.exe;https://twitter.com/stamparm/status/864865144748298242;2017-05-18 00:00:00;70;Florian Roth;MAL,FILE,EXE +TidePool_Malware;Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks;http://goo.gl/m2CXWR;2016-05-24 00:00:00;70;Florian Roth;EXE,FILE +EternalRocks_taskhost;Detects EternalRocks Malware - file taskhost.exe;https://twitter.com/stamparm/status/864865144748298242;2017-05-18 00:00:00;70;Florian Roth;MAL,EXE,FILE +EternalRocks_svchost;Detects EternalRocks Malware - file taskhost.exe;https://twitter.com/stamparm/status/864865144748298242;2017-05-18 00:00:00;70;Florian Roth;MAL,EXE,FILE Susp_Indicators_EXE;Detects packed NullSoft Inst EXE with characteristics of NetWire RAT;https://pastebin.com/8qaiyPxs;2018-01-05 00:00:00;60;Florian Roth;MAL,FILE Suspicious_BAT_Strings;Detects a string also used in Netwire RAT auxilliary;https://pastebin.com/8qaiyPxs;2018-01-05 00:00:00;60;Florian Roth;MAL Malicious_BAT_Strings;Detects a string also used in Netwire RAT auxilliary;https://pastebin.com/8qaiyPxs;2018-01-05 00:00:00;60;Florian Roth;MAL -Win32_Buzus_Softpulse;Trojan Buzus / Softpulse;-;2015-05-13 00:00:00;75;Florian Roth;MAL,FILE,EXE +Win32_Buzus_Softpulse;Trojan Buzus / Softpulse;-;2015-05-13 00:00:00;75;Florian Roth;MAL,EXE,FILE MAL_Kwampirs_Apr18;Kwampirs dropper and main payload components;https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia;2018-04-23 00:00:00;70;Symantec; -Emissary_APT_Malware_1;Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll;http://goo.gl/V0epcf;2016-01-02 00:00:00;75;Florian Roth;MAL,APT,FILE,EXE -APT_GreyEnergy_Malware_Oct18_1;Detects samples from Grey Energy report;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;70;Florian Roth;MAL,FILE,EXE -APT_GreyEnergy_Malware_Oct18_2;Detects samples from Grey Energy report;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;70;Florian Roth;MAL,FILE,EXE -APT_GreyEnergy_Malware_Oct18_3;Detects samples from Grey Energy report;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;70;Florian Roth;MAL,FILE,EXE -APT_GreyEnergy_Malware_Oct18_4;Detects samples from Grey Energy report;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;70;Florian Roth;MAL,FILE,EXE -APT_GreyEnergy_Malware_Oct18_5;Detects samples from Grey Energy report;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;70;Florian Roth;MAL,FILE,EXE -gen_unicorn_obfuscated_powershell;PowerShell payload obfuscated by Unicorn toolkit;https://github.com/trustedsec/unicorn/;2018-04-03 00:00:00;70;John Lambert @JohnLaTwC;SCRIPT,OBFUS,FILE -Sofacy_Oct17_1;Detects Sofacy malware reported in October 2017;http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html;2017-10-23 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -Sofacy_Oct17_2;Detects Sofacy malware reported in October 2017;http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html;2017-10-23 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -PLEAD_Downloader_Jun18_1;Detects PLEAD Downloader;https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html;2018-06-16 00:00:00;70;Florian Roth;FILE,EXE -ONHAT_Proxy_Hacktool;Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups;https://goo.gl/p32Ozf;2016-05-12 00:00:00;100;Florian Roth;APT,EXE,CHINA,FILE,HKTL -Fareit_Trojan_Oct15;Detects Fareit Trojan from Sep/Oct 2015 Wave;http://goo.gl/5VYtlU;2015-10-18 00:00:00;80;Florian Roth;MAL,FILE,EXE -TSCookie_RAT;Detects TSCookie RAT;http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html;2018-03-06 00:00:00;70;Florian Roth;MAL,FILE,EXE -IronGate_APT_Step7ProSim_Gen;Detects IronGate APT Malware - Step7ProSim DLL;https://goo.gl/Mr6M2J;2016-06-04 00:00:00;90;Florian Roth;MAL,APT,FILE,EXE -IronGate_PyInstaller_update_EXE;Detects a PyInstaller file named update.exe as mentioned in the IronGate APT;https://goo.gl/Mr6M2J;2016-06-04 00:00:00;60;Florian Roth;APT,FILE,EXE -Nirsoft_NetResView;Detects NirSoft NetResView - utility that displays the list of all network resources;https://goo.gl/Mr6M2J;2016-06-04 00:00:00;40;Florian Roth;FILE,EXE +Emissary_APT_Malware_1;Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll;http://goo.gl/V0epcf;2016-01-02 00:00:00;75;Florian Roth;MAL,EXE,APT,FILE +APT_GreyEnergy_Malware_Oct18_1;Detects samples from Grey Energy report;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;70;Florian Roth;MAL,EXE,FILE +APT_GreyEnergy_Malware_Oct18_2;Detects samples from Grey Energy report;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;70;Florian Roth;MAL,EXE,FILE +APT_GreyEnergy_Malware_Oct18_3;Detects samples from Grey Energy report;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;70;Florian Roth;MAL,EXE,FILE +APT_GreyEnergy_Malware_Oct18_4;Detects samples from Grey Energy report;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;70;Florian Roth;MAL,EXE,FILE +APT_GreyEnergy_Malware_Oct18_5;Detects samples from Grey Energy report;https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/;2018-10-17 00:00:00;70;Florian Roth;MAL,EXE,FILE +gen_unicorn_obfuscated_powershell;PowerShell payload obfuscated by Unicorn toolkit;https://github.com/trustedsec/unicorn/;2018-04-03 00:00:00;70;John Lambert @JohnLaTwC;OBFUS,SCRIPT,FILE +Sofacy_Oct17_1;Detects Sofacy malware reported in October 2017;http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html;2017-10-23 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +Sofacy_Oct17_2;Detects Sofacy malware reported in October 2017;http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html;2017-10-23 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +PLEAD_Downloader_Jun18_1;Detects PLEAD Downloader;https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html;2018-06-16 00:00:00;70;Florian Roth;EXE,FILE +ONHAT_Proxy_Hacktool;Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups;https://goo.gl/p32Ozf;2016-05-12 00:00:00;100;Florian Roth;EXE,CHINA,HKTL,APT,FILE +Fareit_Trojan_Oct15;Detects Fareit Trojan from Sep/Oct 2015 Wave;http://goo.gl/5VYtlU;2015-10-18 00:00:00;80;Florian Roth;MAL,EXE,FILE +TSCookie_RAT;Detects TSCookie RAT;http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html;2018-03-06 00:00:00;70;Florian Roth;MAL,EXE,FILE +IronGate_APT_Step7ProSim_Gen;Detects IronGate APT Malware - Step7ProSim DLL;https://goo.gl/Mr6M2J;2016-06-04 00:00:00;90;Florian Roth;MAL,EXE,APT,FILE +IronGate_PyInstaller_update_EXE;Detects a PyInstaller file named update.exe as mentioned in the IronGate APT;https://goo.gl/Mr6M2J;2016-06-04 00:00:00;60;Florian Roth;EXE,APT,FILE +Nirsoft_NetResView;Detects NirSoft NetResView - utility that displays the list of all network resources;https://goo.gl/Mr6M2J;2016-06-04 00:00:00;40;Florian Roth;EXE,FILE WMImplant;Auto-generated rule - file WMImplant.ps1;https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html;2017-03-24 00:00:00;70;Florian Roth; -Codoso_PlugX_3;Detects Codoso APT PlugX Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_PlugX_2;Detects Codoso APT PlugX Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_CustomTCP_4;Detects Codoso APT CustomTCP Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_CustomTCP_3;Detects Codoso APT CustomTCP Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_CustomTCP_2;Detects Codoso APT CustomTCP Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_PGV_PVID_6;Detects Codoso APT PGV_PVID Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_Gh0st_3;Detects Codoso APT Gh0st Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_Gh0st_2;Detects Codoso APT Gh0st Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_CustomTCP;Codoso CustomTCP Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,FILE,EXE -Codoso_PGV_PVID_5;Detects Codoso APT PGV PVID Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_Gh0st_1;Detects Codoso APT Gh0st Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_PGV_PVID_4;Detects Codoso APT PlugX Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_PlugX_1;Detects Codoso APT PlugX Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE +Codoso_PlugX_3;Detects Codoso APT PlugX Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_PlugX_2;Detects Codoso APT PlugX Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_CustomTCP_4;Detects Codoso APT CustomTCP Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_CustomTCP_3;Detects Codoso APT CustomTCP Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_CustomTCP_2;Detects Codoso APT CustomTCP Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_PGV_PVID_6;Detects Codoso APT PGV_PVID Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_Gh0st_3;Detects Codoso APT Gh0st Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_Gh0st_2;Detects Codoso APT Gh0st Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_CustomTCP;Codoso CustomTCP Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,FILE +Codoso_PGV_PVID_5;Detects Codoso APT PGV PVID Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_Gh0st_1;Detects Codoso APT Gh0st Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_PGV_PVID_4;Detects Codoso APT PlugX Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_PlugX_1;Detects Codoso APT PlugX Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE Codoso_PGV_PVID_3;Detects Codoso APT PGV PVID Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT -Codoso_PGV_PVID_2;Detects Codoso APT PGV PVID Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Codoso_PGV_PVID_1;Detects Codoso APT PGV PVID Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -MAL_WebMonitor_RAT;Detects WebMonitor RAT;https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/;2018-04-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -Pupy_Backdoor;Detects Pupy backdoor;https://github.com/n1nj4sec/pupy-binaries;2017-08-11 00:00:00;70;Florian Roth;MAL,FILE,EXE -apt_backspace;Detects APT backspace;-;2015-05-14 00:00:00;70;Bit Byte Bitten;APT,FILE,EXE +Codoso_PGV_PVID_2;Detects Codoso APT PGV PVID Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Codoso_PGV_PVID_1;Detects Codoso APT PGV PVID Malware;https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks;2016-01-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +MAL_WebMonitor_RAT;Detects WebMonitor RAT;https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/;2018-04-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +Pupy_Backdoor;Detects Pupy backdoor;https://github.com/n1nj4sec/pupy-binaries;2017-08-11 00:00:00;70;Florian Roth;MAL,EXE,FILE +apt_backspace;Detects APT backspace;-;2015-05-14 00:00:00;70;Bit Byte Bitten;EXE,APT,FILE SNOWGLOBE_Babar_Malware;Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe;http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france;2015-02-18 00:00:00;80;Florian Roth;MAL -Fireball_de_svr;Detects Fireball malware - file de_svr.exe;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;FILE,EXE -Fireball_lancer;Detects Fireball malware - file lancer.dll;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;FILE,EXE -QQBrowser;Not malware but suspicious browser - file QQBrowser.exe;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;50;Florian Roth;FILE,EXE -chrome_elf;Detects Fireball malware - file chrome_elf.dll;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;FILE,EXE -Fireball_regkey;Detects Fireball malware - file regkey.exe;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;FILE,EXE -Fireball_winsap;Detects Fireball malware - file winsap.dll;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;FILE,EXE -Fireball_archer;Detects Fireball malware - file archer.dll;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;FILE,EXE -clearlog;Detects Fireball malware - file clearlog.dll;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;FILE,EXE -Fireball_gubed;Detects Fireball malware - file gubed.exe;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;FILE,EXE -Locky_Ransomware;Detects Locky Ransomware (matches also on Win32/Kuluoz);https://goo.gl/qScSrE;2016-02-17 00:00:00;70;Florian Roth (with the help of binar.ly);RANSOM,MAL,CRIME -MAL_Ryuk_Ransomware;Detects strings known from Ryuk Ransomware;https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/;2018-12-31 00:00:00;70;Florian Roth;EXE,RANSOM,CRIME,FILE,MAL +Fireball_de_svr;Detects Fireball malware - file de_svr.exe;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;EXE,FILE +Fireball_lancer;Detects Fireball malware - file lancer.dll;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;EXE,FILE +QQBrowser;Not malware but suspicious browser - file QQBrowser.exe;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;50;Florian Roth;EXE,FILE +chrome_elf;Detects Fireball malware - file chrome_elf.dll;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;EXE,FILE +Fireball_regkey;Detects Fireball malware - file regkey.exe;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;EXE,FILE +Fireball_winsap;Detects Fireball malware - file winsap.dll;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;EXE,FILE +Fireball_archer;Detects Fireball malware - file archer.dll;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;EXE,FILE +clearlog;Detects Fireball malware - file clearlog.dll;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;EXE,FILE +Fireball_gubed;Detects Fireball malware - file gubed.exe;https://goo.gl/4pTkGQ;2017-06-02 00:00:00;70;Florian Roth;EXE,FILE +Locky_Ransomware;Detects Locky Ransomware (matches also on Win32/Kuluoz);https://goo.gl/qScSrE;2016-02-17 00:00:00;70;Florian Roth (with the help of binar.ly);MAL,RANSOM,CRIME +MAL_Ryuk_Ransomware;Detects strings known from Ryuk Ransomware;https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/;2018-12-31 00:00:00;70;Florian Roth;EXE,RANSOM,MAL,CRIME,FILE CobaltStrike_CN_Group_BeaconDropper_Aug17;Detects Script Dropper of Cobalt Gang used in August 2017;Internal Research;2017-08-09 00:00:00;70;Florian Roth;MAL -CobaltGang_Malware_Aug17_1;Detects a Cobalt Gang malware;https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c;2017-08-09 00:00:00;70;Florian Roth;MAL,FILE,EXE -CobaltGang_Malware_Aug17_2;Detects a Cobalt Gang malware;https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c;2017-08-09 00:00:00;70;Florian Roth;MAL,FILE,EXE -gen_malware_MacOS_plist_suspicious;Suspicious PLIST files in MacOS (possible malware persistence);https://objective-see.com/blog/blog_0x3A.html;2018-12-14 00:00:00;70;John Lambert @JohnLaTwC;EXTVAR,MAL +CobaltGang_Malware_Aug17_1;Detects a Cobalt Gang malware;https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c;2017-08-09 00:00:00;70;Florian Roth;MAL,EXE,FILE +CobaltGang_Malware_Aug17_2;Detects a Cobalt Gang malware;https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c;2017-08-09 00:00:00;70;Florian Roth;MAL,EXE,FILE +gen_malware_MacOS_plist_suspicious;Suspicious PLIST files in MacOS (possible malware persistence);https://objective-see.com/blog/blog_0x3A.html;2018-12-14 00:00:00;70;John Lambert @JohnLaTwC;MAL,EXTVAR gen_python_reverse_shell;Python Base64 encoded reverse shell;https://www.virustotal.com/en/file/9ec5102bcbabc45f2aa7775464f33019cfbe9d766b1332ee675957c923a17efd/analysis/;2018-02-24 00:00:00;70;John Lambert @JohnLaTwC;SCRIPT,FILE Base64_PS1_Shellcode;Detects Base64 encoded PS1 Shellcode;https://twitter.com/ItsReallyNick/status/1062601684566843392;2018-11-14 00:00:00;65;Nick Carr, David Ledbetter; APT34_Malware_HTA;Detects APT 34 malware;https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html;2017-12-07 00:00:00;70;Florian Roth;MAL,APT -APT34_Malware_Exeruner;Detects APT 34 malware;https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html;2017-12-07 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE +APT34_Malware_Exeruner;Detects APT 34 malware;https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html;2017-12-07 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE TA17_318B_volgmer;Malformed User Agent in Volgmer malware;https://www.us-cert.gov/ncas/alerts/TA17-318B;2017-11-15 00:00:00;70;US CERT;FILE -Volgmer_Malware;Detects Volgmer malware as reported in US CERT TA17-318B;https://www.us-cert.gov/ncas/alerts/TA17-318B;2017-11-15 00:00:00;70;Florian Roth;FILE,EXE -BTC_Miner_lsass1_chrome_2;Detects a Bitcoin Miner;Internal Research - CN Actor;2017-06-22 00:00:00;60;Florian Roth;FILE,EXE -CN_Actor_RA_Tool_Ammyy_mscorsvw;Detects Ammyy remote access tool;Internal Research - CN Actor;2017-06-22 00:00:00;70;Florian Roth;FILE,EXE -CN_Actor_AmmyyAdmin;Detects Ammyy Admin Downloader;Internal Research - CN Actor;2017-06-22 00:00:00;60;Florian Roth;FILE,EXE +Volgmer_Malware;Detects Volgmer malware as reported in US CERT TA17-318B;https://www.us-cert.gov/ncas/alerts/TA17-318B;2017-11-15 00:00:00;70;Florian Roth;EXE,FILE +BTC_Miner_lsass1_chrome_2;Detects a Bitcoin Miner;Internal Research - CN Actor;2017-06-22 00:00:00;60;Florian Roth;EXE,FILE +CN_Actor_RA_Tool_Ammyy_mscorsvw;Detects Ammyy remote access tool;Internal Research - CN Actor;2017-06-22 00:00:00;70;Florian Roth;EXE,FILE +CN_Actor_AmmyyAdmin;Detects Ammyy Admin Downloader;Internal Research - CN Actor;2017-06-22 00:00:00;60;Florian Roth;EXE,FILE SUSP_LNK_Big_Link_File;Detects a suspiciously big LNK file - maybe with embedded content;Internal Research;2018-05-15 00:00:00;65;Florian Roth;FILE TrojanDownloader;Trojan Downloader - Flash Exploit Feb15;http://goo.gl/wJ8V1I;2015-02-11 00:00:00;60;Florian Roth;MAL -IsmDoor_Jul17_A2;Detects IsmDoor Malware;https://twitter.com/Voulnet/status/892104753295110145;2017-08-01 00:00:00;70;Florian Roth;MAL,FILE,EXE -Unknown_Malware_Sample_Jul17_2;Detects unknown malware sample with pastebin RAW URL;https://goo.gl/iqH8CK;2017-08-01 00:00:00;70;Florian Roth;MAL,FILE,EXE +IsmDoor_Jul17_A2;Detects IsmDoor Malware;https://twitter.com/Voulnet/status/892104753295110145;2017-08-01 00:00:00;70;Florian Roth;MAL,EXE,FILE +Unknown_Malware_Sample_Jul17_2;Detects unknown malware sample with pastebin RAW URL;https://goo.gl/iqH8CK;2017-08-01 00:00:00;70;Florian Roth;MAL,EXE,FILE MAL_unspecified_Jan18_1;Detects unspecified malware sample;Internal Research;2018-01-19 00:00:00;70;Florian Roth;MAL -CheshireCat_Sample2;Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8;https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/;2015-08-08 00:00:00;70;Florian Roth;FILE,EXE -CheshireCat_Gen1;Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300;https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/;2015-08-08 00:00:00;90;Florian Roth;FILE,EXE -CheshireCat_Gen2;Cheshire Cat Malware;https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/;2015-08-08 00:00:00;70;Florian Roth;MAL,FILE,EXE -Destructive_Ransomware_Gen1;Detects destructive malware;http://blog.talosintelligence.com/2018/02/olympic-destroyer.html;2018-02-12 00:00:00;70;Florian Roth;CRIME,FILE,EXE -OlympicDestroyer_Gen2;Detects Olympic Destroyer malware;http://blog.talosintelligence.com/2018/02/olympic-destroyer.html;2018-02-12 00:00:00;70;Florian Roth;FILE,EXE +CheshireCat_Sample2;Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8;https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/;2015-08-08 00:00:00;70;Florian Roth;EXE,FILE +CheshireCat_Gen1;Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300;https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/;2015-08-08 00:00:00;90;Florian Roth;EXE,FILE +CheshireCat_Gen2;Cheshire Cat Malware;https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/;2015-08-08 00:00:00;70;Florian Roth;MAL,EXE,FILE +Destructive_Ransomware_Gen1;Detects destructive malware;http://blog.talosintelligence.com/2018/02/olympic-destroyer.html;2018-02-12 00:00:00;70;Florian Roth;EXE,CRIME,FILE +OlympicDestroyer_Gen2;Detects Olympic Destroyer malware;http://blog.talosintelligence.com/2018/02/olympic-destroyer.html;2018-02-12 00:00:00;70;Florian Roth;EXE,FILE apt_win32_dll_rat_hiZorRAT;-;https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf;1970-01-01 01:00:00;70;-;FILE -MAL_BackNet_Nov18_1;Detects BackNet samples;https://github.com/valsov/BackNet;2018-11-02 00:00:00;70;Florian Roth;FILE,EXE -COZY_FANCY_BEAR_Hunt;Detects Cozy Bear / Fancy Bear C2 Server IPs;https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/;2016-06-14 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -COZY_FANCY_BEAR_pagemgr_Hunt;Detects a pagemgr.exe as mentioned in the CrowdStrike report;https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/;2016-06-14 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -Unspecified_Malware_Oct16_A;Detects an unspecififed malware - October 2016;Internal Research;2016-10-08 00:00:00;80;Florian Roth;MAL,FILE,EXE -Sality_Malware_Oct16;Detects an unspecififed malware - October 2016;Internal Research;2016-10-08 00:00:00;80;Florian Roth;MAL,FILE,EXE -Unspecified_Malware_Oct16_C;Detects an unspecififed malware - October 2016;Internal Research;2016-10-08 00:00:00;80;Florian Roth;MAL,FILE,EXE -Bladabindi_Malware_B64;Detects Bladabindi Malware using Base64 encoded strings;Internal Research;2016-10-08 00:00:00;70;Florian Roth;MAL,FILE,EXE -Dorkbot_Injector_Malware;Detects Darkbot Injector;Internal Research;2016-10-08 00:00:00;70;Florian Roth;HKTL,MAL,FILE,EXE -Unspecified_Malware_Oct16_D;Detects unspecified malware - October 2016;Internal Research;2016-10-08 00:00:00;70;Florian Roth;MAL,FILE,EXE -Unspecified_Malware_Oct16_E;Detects unspecified Malware - October 2016;Internal Research;2016-10-08 00:00:00;70;Florian Roth;MAL,FILE,EXE -FreeMilk_APT_Mal_1;Detects malware from FreeMilk campaign;https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/;2017-10-05 00:00:00;70;Florian Roth;APT,FILE,EXE -FreeMilk_APT_Mal_2;Detects malware from FreeMilk campaign;https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/;2017-10-05 00:00:00;70;Florian Roth;APT,FILE,EXE -FreeMilk_APT_Mal_3;Detects malware from FreeMilk campaign;https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/;2017-10-05 00:00:00;70;Florian Roth;APT,FILE,EXE -FreeMilk_APT_Mal_4;Detects malware from FreeMilk campaign;https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/;2017-10-05 00:00:00;70;Florian Roth;APT,FILE,EXE -WiltedTulip_Tools_back;Detects Chrome password dumper used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;FILE,EXE +MAL_BackNet_Nov18_1;Detects BackNet samples;https://github.com/valsov/BackNet;2018-11-02 00:00:00;70;Florian Roth;EXE,FILE +COZY_FANCY_BEAR_Hunt;Detects Cozy Bear / Fancy Bear C2 Server IPs;https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/;2016-06-14 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +COZY_FANCY_BEAR_pagemgr_Hunt;Detects a pagemgr.exe as mentioned in the CrowdStrike report;https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/;2016-06-14 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +Unspecified_Malware_Oct16_A;Detects an unspecififed malware - October 2016;Internal Research;2016-10-08 00:00:00;80;Florian Roth;MAL,EXE,FILE +Sality_Malware_Oct16;Detects an unspecififed malware - October 2016;Internal Research;2016-10-08 00:00:00;80;Florian Roth;MAL,EXE,FILE +Unspecified_Malware_Oct16_C;Detects an unspecififed malware - October 2016;Internal Research;2016-10-08 00:00:00;80;Florian Roth;MAL,EXE,FILE +Bladabindi_Malware_B64;Detects Bladabindi Malware using Base64 encoded strings;Internal Research;2016-10-08 00:00:00;70;Florian Roth;MAL,EXE,FILE +Dorkbot_Injector_Malware;Detects Darkbot Injector;Internal Research;2016-10-08 00:00:00;70;Florian Roth;MAL,EXE,HKTL,FILE +Unspecified_Malware_Oct16_D;Detects unspecified malware - October 2016;Internal Research;2016-10-08 00:00:00;70;Florian Roth;MAL,EXE,FILE +Unspecified_Malware_Oct16_E;Detects unspecified Malware - October 2016;Internal Research;2016-10-08 00:00:00;70;Florian Roth;MAL,EXE,FILE +FreeMilk_APT_Mal_1;Detects malware from FreeMilk campaign;https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/;2017-10-05 00:00:00;70;Florian Roth;EXE,APT,FILE +FreeMilk_APT_Mal_2;Detects malware from FreeMilk campaign;https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/;2017-10-05 00:00:00;70;Florian Roth;EXE,APT,FILE +FreeMilk_APT_Mal_3;Detects malware from FreeMilk campaign;https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/;2017-10-05 00:00:00;70;Florian Roth;EXE,APT,FILE +FreeMilk_APT_Mal_4;Detects malware from FreeMilk campaign;https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/;2017-10-05 00:00:00;70;Florian Roth;EXE,APT,FILE +WiltedTulip_Tools_back;Detects Chrome password dumper used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;EXE,FILE WiltedTulip_Tools_clrlg;Detects Windows eventlog cleaner used in Operation Wilted Tulip - file clrlg.bat;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth; WiltedTulip_powershell;Detects powershell script used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth; -WiltedTulip_vminst;Detects malware used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;FILE,EXE +WiltedTulip_vminst;Detects malware used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;EXE,FILE WiltedTulip_Windows_UM_Task;Detects a Windows scheduled task as used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth; WiltedTulip_WindowsTask;Detects hack tool used in Operation Wilted Tulip - Windows Tasks;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth; -WiltedTulip_tdtess;Detects malicious service used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;FILE,EXE +WiltedTulip_tdtess;Detects malicious service used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;EXE,FILE WiltedTulip_SilverlightMSI;Detects powershell tool call Get_AD_Users_Logon_History used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth; -WiltedTulip_matryoshka_Injector;Detects hack tool used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;FILE,EXE -WiltedTulip_Zpp;Detects hack tool used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;FILE,EXE -WiltedTulip_Netsrv_netsrvs;Detects sample from Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;FILE,EXE -WiltedTulip_ReflectiveLoader;Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;FILE,EXE -WiltedTulip_Matryoshka_RAT;Detects Matryoshka RAT used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;MAL,FILE,EXE -PowerShell_Emp_Eval_Jul17_A1;Detects suspicious sample with PowerShell content ;PowerShell Empire Eval;2017-07-27 00:00:00;70;Florian Roth;SCRIPT,FILE,EXE -PowerShell_Emp_Eval_Jul17_A2;Detects suspicious sample with PowerShell content ;PowerShell Empire Eval;2017-07-27 00:00:00;70;Florian Roth;SCRIPT,FILE,EXE -CMStar_Malware_Sep17;Detects CMStar Malware;https://goo.gl/pTffPA;2017-10-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -RevengeRAT_Sep17;Detects RevengeRAT malware;Internal Research;2017-09-04 00:00:00;70;Florian Roth;MAL,FILE,EXE +WiltedTulip_matryoshka_Injector;Detects hack tool used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;EXE,FILE +WiltedTulip_Zpp;Detects hack tool used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;EXE,FILE +WiltedTulip_Netsrv_netsrvs;Detects sample from Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;EXE,FILE +WiltedTulip_ReflectiveLoader;Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;EXE,FILE +WiltedTulip_Matryoshka_RAT;Detects Matryoshka RAT used in Operation Wilted Tulip;http://www.clearskysec.com/tulip;2017-07-23 00:00:00;70;Florian Roth;MAL,EXE,FILE +PowerShell_Emp_Eval_Jul17_A1;Detects suspicious sample with PowerShell content ;PowerShell Empire Eval;2017-07-27 00:00:00;70;Florian Roth;EXE,SCRIPT,FILE +PowerShell_Emp_Eval_Jul17_A2;Detects suspicious sample with PowerShell content ;PowerShell Empire Eval;2017-07-27 00:00:00;70;Florian Roth;EXE,SCRIPT,FILE +CMStar_Malware_Sep17;Detects CMStar Malware;https://goo.gl/pTffPA;2017-10-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +RevengeRAT_Sep17;Detects RevengeRAT malware;Internal Research;2017-09-04 00:00:00;70;Florian Roth;MAL,EXE,FILE POSHSPY_Malware;Detects;https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html;2017-07-15 00:00:00;70;Florian Roth; APT_Area1_SSF_PlugX;Detects send tool used in phishing campaign reported by Area 1 in December 2018;https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf;2018-12-19 00:00:00;70;Area 1; -APT_Area1_SSF_GoogleSend_Strings;Detects send tool used in phishing campaign reported by Area 1 in December 2018;https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf;2018-12-19 00:00:00;70;Area 1 (modified by Florian Roth);FILE,EXE -APT17_Sample_FXSST_DLL;Detects Samples related to APT17 activity - file FXSST.DLL;https://goo.gl/ZiJyQv;2015-05-14 00:00:00;70;Florian Roth;APT,MAL,FILE,EXE +APT_Area1_SSF_GoogleSend_Strings;Detects send tool used in phishing campaign reported by Area 1 in December 2018;https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf;2018-12-19 00:00:00;70;Area 1 (modified by Florian Roth);EXE,FILE +APT17_Sample_FXSST_DLL;Detects Samples related to APT17 activity - file FXSST.DLL;https://goo.gl/ZiJyQv;2015-05-14 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE PowerShell_Susp_Parameter_Combo;Detects PowerShell invocation with suspicious parameters;https://goo.gl/uAic1X;2017-03-12 00:00:00;60;Florian Roth;SCRIPT -Sofacy_Jun16_Sample1;Detects Sofacy Malware mentioned in PaloAltoNetworks APT report;http://goo.gl/mzAa97;2016-06-14 00:00:00;85;Florian Roth;APT,EXE,FILE,RUSSIA,MAL -Sofacy_Jun16_Sample2;Detects Sofacy Malware mentioned in PaloAltoNetworks APT report;http://goo.gl/mzAa97;2016-06-14 00:00:00;85;Florian Roth;APT,EXE,FILE,RUSSIA,MAL -Sofacy_Jun16_Sample3;Detects Sofacy Malware mentioned in PaloAltoNetworks APT report;http://goo.gl/mzAa97;2016-06-14 00:00:00;85;Florian Roth;APT,EXE,FILE,RUSSIA,MAL -Quasar_RAT_Jan18_1;Detects Quasar RAT;https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/;2018-01-29 00:00:00;70;Florian Roth;MAL,FILE,EXE -Vermin_Keylogger_Jan18_1;Detects Vermin Keylogger;https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/;2018-01-29 00:00:00;70;Florian Roth;HKTL,FILE,EXE -TopHat_Malware_Jan18_1;Detects malware from TopHat campaign;https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix;2018-01-29 00:00:00;70;Florian Roth;MAL,FILE,EXE -TopHat_Malware_Jan18_2;Auto-generated rule - file e.exe;https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix;2018-01-29 00:00:00;70;Florian Roth;MAL,FILE,EXE +Sofacy_Jun16_Sample1;Detects Sofacy Malware mentioned in PaloAltoNetworks APT report;http://goo.gl/mzAa97;2016-06-14 00:00:00;85;Florian Roth;EXE,RUSSIA,MAL,APT,FILE +Sofacy_Jun16_Sample2;Detects Sofacy Malware mentioned in PaloAltoNetworks APT report;http://goo.gl/mzAa97;2016-06-14 00:00:00;85;Florian Roth;EXE,RUSSIA,MAL,APT,FILE +Sofacy_Jun16_Sample3;Detects Sofacy Malware mentioned in PaloAltoNetworks APT report;http://goo.gl/mzAa97;2016-06-14 00:00:00;85;Florian Roth;EXE,RUSSIA,MAL,APT,FILE +Quasar_RAT_Jan18_1;Detects Quasar RAT;https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/;2018-01-29 00:00:00;70;Florian Roth;MAL,EXE,FILE +Vermin_Keylogger_Jan18_1;Detects Vermin Keylogger;https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/;2018-01-29 00:00:00;70;Florian Roth;EXE,HKTL,FILE +TopHat_Malware_Jan18_1;Detects malware from TopHat campaign;https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix;2018-01-29 00:00:00;70;Florian Roth;MAL,EXE,FILE +TopHat_Malware_Jan18_2;Auto-generated rule - file e.exe;https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix;2018-01-29 00:00:00;70;Florian Roth;MAL,EXE,FILE TopHat_BAT;Auto-generated rule - file cgen.bat;https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix;2018-01-29 00:00:00;70;Florian Roth; -gen_exploit_CVE_2017_10271_WebLogic;Exploit for CVE-2017-10271 (Oracle WebLogic);https://github.com/c0mmand3rOpSec/CVE-2017-10271, https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html;2018-03-21 00:00:00;70;John Lambert @JohnLaTwC;FILE,EXPLOIT -APT30_Generic_H;FireEye APT30 Report Sample - file db3e5c2f2ce07c2d3fa38d6fc1ceb854;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Sample_2;FireEye APT30 Report Sample - file c4dec6d69d8035d481e4f2c86f580e81;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_3;FireEye APT30 Report Sample - file 59e055cee87d8faf6f701293e5830b5a;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Generic_C;FireEye APT30 Report Sample - file 0c4fcef3b583d0ffffc2b14b9297d3a4;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Sample_4;FireEye APT30 Report Sample - file 6ba315275561d99b1eb8fc614ff0b2b3;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_5;FireEye APT30 Report Sample - file ebf42e8b532e2f3b19046b028b5dfb23;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_6;FireEye APT30 Report Sample - file ee1b23c97f809151805792f8778ead74;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_7;FireEye APT30 Report Sample - file 74b87086887e0c67ffb035069b195ac7;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Generic_E;FireEye APT30 Report Sample - file 8ff473bedbcc77df2c49a91167b1abeb;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Sample_8;FireEye APT30 Report Sample - file 44b98f22155f420af4528d17bb4a5ec8;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Generic_B;FireEye APT30 Report Sample - file 29395c528693b69233c1c12bef8a64b3;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Generic_I;FireEye APT30 Report Sample - file fe211c7a081c1dac46e3935f7c614549;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Sample_9;FireEye APT30 Report Sample - file e3ae3cbc024e39121c87d73e87bb2210;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_10;FireEye APT30 Report Sample - file 8c713117af4ca6bbd69292a78069e75b;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_11;FireEye APT30 Report Sample - file d97aace631d6f089595f5ce177f54a39;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_12;FireEye APT30 Report Sample - file c95cd106c1fecbd500f4b97566d8dc96;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_13;FireEye APT30 Report Sample - file 95bb314fe8fdbe4df31a6d23b0d378bc;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_14;FireEye APT30 Report Sample - file 6f931c15789d234881be8ae8ccfe33f4;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_15;FireEye APT30 Report Sample - file e26a2afaaddfb09d9ede505c6f1cc4e3;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_16;FireEye APT30 Report Sample - file 37e568bed4ae057e548439dc811b4d3a;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Generic_A;FireEye APT30 Report Sample - file af1c1c5d8031c4942630b6a10270d8f4;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Sample_17;FireEye APT30 Report Sample - file 23813c5bf6a7af322b40bd2fd94bd42e;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_18;FireEye APT30 Report Sample - file b2138a57f723326eda5a26d2dec56851;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Generic_G;FireEye APT30 Report Sample - file 53f1358cbc298da96ec56e9a08851b4b;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Sample_19;FireEye APT30 Report Sample - file 5d4f2871fd1818527ebd65b0ff930a77;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Generic_E_v2;FireEye APT30 Report Sample - file 71f25831681c19ea17b2f2a84a41bbfb;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Sample_20;FireEye APT30 Report Sample - file 5ae51243647b7d03a5cb20dccbc0d561;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_21;FireEye APT30 Report Sample - file 78c4fcee5b7fdbabf3b9941225d95166;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_22;FireEye APT30 Report Sample - file fad06d7b4450c4631302264486611ec3;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Generic_F;FireEye APT30 Report Sample - file 4c10a1efed25b828e4785d9526507fbc;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Sample_23;FireEye APT30 Report Sample - file a5ca2c5b4d8c0c1bc93570ed13dcab1a;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_24;FireEye APT30 Report Sample - file 062fe1336459a851bd0ea271bb2afe35;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_25;FireEye APT30 Report Sample - file c4c068200ad8033a0f0cf28507b51842;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_26;FireEye APT30 Report Sample - file 428fc53c84e921ac518e54a5d055f54a;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Generic_D;FireEye APT30 Report Sample - file 597805832d45d522c4882f21db800ecf;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Sample_27;FireEye APT30 Report Sample - file d38e02eac7e3b299b46ff2607dd0f288;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_28;FireEye APT30 Report Sample - file e62a63307deead5c9fcca6b9a2d51fb0;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_29;FireEye APT30 Report Sample - file 1b81b80ff0edf57da2440456d516cc90;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_30;FireEye APT30 Report Sample - file bf8616bbed6d804a3dea09b230c2ab0c;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_31;FireEye APT30 Report Sample - file d8e68db503f4155ed1aeba95d1f5e3e4;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Generic_J;FireEye APT30 Report Sample - file baff5262ae01a9217b10fcd5dad9d1d5;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Microfost;FireEye APT30 Report Sample - file 310a4a62ba3765cbf8e8bbb9f324c503;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Generic_K;FireEye APT30 Report Sample - file b5a343d11e1f7340de99118ce9fc1bbb;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Sample_33;FireEye APT30 Report Sample - file 5eaf3deaaf2efac92c73ada82a651afe;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_34;FireEye APT30 Report Sample - file a9e8e402a7ee459e4896d0ba83543684;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_35;FireEye APT30 Report Sample - file 414854a9b40f7757ed7bfc6a1b01250f;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Sample_1;FireEye APT30 Report Sample - file 4c6b21e98ca03e0ef0910e07cef45dac;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;FILE,APT -APT30_Generic_1;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Generic_2;FireEye APT30 Report Sample - from many files;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Generic_3;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Generic_4;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Generic_5;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Generic_6;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Generic_7;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Generic_8;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT -APT30_Generic_9;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,FILE,APT +gen_exploit_CVE_2017_10271_WebLogic;Exploit for CVE-2017-10271 (Oracle WebLogic);https://github.com/c0mmand3rOpSec/CVE-2017-10271, https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html;2018-03-21 00:00:00;70;John Lambert @JohnLaTwC;EXPLOIT,FILE +APT30_Generic_H;FireEye APT30 Report Sample - file db3e5c2f2ce07c2d3fa38d6fc1ceb854;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Sample_2;FireEye APT30 Report Sample - file c4dec6d69d8035d481e4f2c86f580e81;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_3;FireEye APT30 Report Sample - file 59e055cee87d8faf6f701293e5830b5a;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Generic_C;FireEye APT30 Report Sample - file 0c4fcef3b583d0ffffc2b14b9297d3a4;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Sample_4;FireEye APT30 Report Sample - file 6ba315275561d99b1eb8fc614ff0b2b3;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_5;FireEye APT30 Report Sample - file ebf42e8b532e2f3b19046b028b5dfb23;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_6;FireEye APT30 Report Sample - file ee1b23c97f809151805792f8778ead74;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_7;FireEye APT30 Report Sample - file 74b87086887e0c67ffb035069b195ac7;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Generic_E;FireEye APT30 Report Sample - file 8ff473bedbcc77df2c49a91167b1abeb;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Sample_8;FireEye APT30 Report Sample - file 44b98f22155f420af4528d17bb4a5ec8;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Generic_B;FireEye APT30 Report Sample - file 29395c528693b69233c1c12bef8a64b3;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Generic_I;FireEye APT30 Report Sample - file fe211c7a081c1dac46e3935f7c614549;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Sample_9;FireEye APT30 Report Sample - file e3ae3cbc024e39121c87d73e87bb2210;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_10;FireEye APT30 Report Sample - file 8c713117af4ca6bbd69292a78069e75b;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_11;FireEye APT30 Report Sample - file d97aace631d6f089595f5ce177f54a39;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_12;FireEye APT30 Report Sample - file c95cd106c1fecbd500f4b97566d8dc96;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_13;FireEye APT30 Report Sample - file 95bb314fe8fdbe4df31a6d23b0d378bc;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_14;FireEye APT30 Report Sample - file 6f931c15789d234881be8ae8ccfe33f4;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_15;FireEye APT30 Report Sample - file e26a2afaaddfb09d9ede505c6f1cc4e3;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_16;FireEye APT30 Report Sample - file 37e568bed4ae057e548439dc811b4d3a;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Generic_A;FireEye APT30 Report Sample - file af1c1c5d8031c4942630b6a10270d8f4;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Sample_17;FireEye APT30 Report Sample - file 23813c5bf6a7af322b40bd2fd94bd42e;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_18;FireEye APT30 Report Sample - file b2138a57f723326eda5a26d2dec56851;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Generic_G;FireEye APT30 Report Sample - file 53f1358cbc298da96ec56e9a08851b4b;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Sample_19;FireEye APT30 Report Sample - file 5d4f2871fd1818527ebd65b0ff930a77;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Generic_E_v2;FireEye APT30 Report Sample - file 71f25831681c19ea17b2f2a84a41bbfb;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Sample_20;FireEye APT30 Report Sample - file 5ae51243647b7d03a5cb20dccbc0d561;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_21;FireEye APT30 Report Sample - file 78c4fcee5b7fdbabf3b9941225d95166;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_22;FireEye APT30 Report Sample - file fad06d7b4450c4631302264486611ec3;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Generic_F;FireEye APT30 Report Sample - file 4c10a1efed25b828e4785d9526507fbc;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Sample_23;FireEye APT30 Report Sample - file a5ca2c5b4d8c0c1bc93570ed13dcab1a;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_24;FireEye APT30 Report Sample - file 062fe1336459a851bd0ea271bb2afe35;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_25;FireEye APT30 Report Sample - file c4c068200ad8033a0f0cf28507b51842;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_26;FireEye APT30 Report Sample - file 428fc53c84e921ac518e54a5d055f54a;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Generic_D;FireEye APT30 Report Sample - file 597805832d45d522c4882f21db800ecf;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Sample_27;FireEye APT30 Report Sample - file d38e02eac7e3b299b46ff2607dd0f288;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_28;FireEye APT30 Report Sample - file e62a63307deead5c9fcca6b9a2d51fb0;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_29;FireEye APT30 Report Sample - file 1b81b80ff0edf57da2440456d516cc90;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_30;FireEye APT30 Report Sample - file bf8616bbed6d804a3dea09b230c2ab0c;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_31;FireEye APT30 Report Sample - file d8e68db503f4155ed1aeba95d1f5e3e4;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Generic_J;FireEye APT30 Report Sample - file baff5262ae01a9217b10fcd5dad9d1d5;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Microfost;FireEye APT30 Report Sample - file 310a4a62ba3765cbf8e8bbb9f324c503;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Generic_K;FireEye APT30 Report Sample - file b5a343d11e1f7340de99118ce9fc1bbb;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Sample_33;FireEye APT30 Report Sample - file 5eaf3deaaf2efac92c73ada82a651afe;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_34;FireEye APT30 Report Sample - file a9e8e402a7ee459e4896d0ba83543684;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_35;FireEye APT30 Report Sample - file 414854a9b40f7757ed7bfc6a1b01250f;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Sample_1;FireEye APT30 Report Sample - file 4c6b21e98ca03e0ef0910e07cef45dac;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;APT,FILE +APT30_Generic_1;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Generic_2;FireEye APT30 Report Sample - from many files;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Generic_3;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Generic_4;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Generic_5;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Generic_6;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Generic_7;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Generic_8;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE +APT30_Generic_9;FireEye APT30 Report Sample;https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf;2015-04-13 00:00:00;70;Florian Roth;GEN,APT,FILE Invoke_PSImage;Detects a command to execute PowerShell from String;https://github.com/peewpw/Invoke-PSImage;2017-12-16 00:00:00;70;Florian Roth;SCRIPT -NK_Miner_Malware_Jan18_1;Detects Noth Korean Monero Miner mentioned in AlienVault report;https://goo.gl/PChE1z;2018-01-09 00:00:00;70;Florian Roth (original rule by Chris Doman);MAL,FILE,EXE -CrunchRAT;Detects CrunchRAT - file CrunchRAT.exe;https://github.com/t3ntman/CrunchRAT;2017-11-03 00:00:00;70;Florian Roth;MAL,FILE,EXE -Datper_Backdoor;Detects Datper Malware;http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html;2017-08-21 00:00:00;70;Florian Roth;MAL,FILE,EXE +NK_Miner_Malware_Jan18_1;Detects Noth Korean Monero Miner mentioned in AlienVault report;https://goo.gl/PChE1z;2018-01-09 00:00:00;70;Florian Roth (original rule by Chris Doman);MAL,EXE,FILE +CrunchRAT;Detects CrunchRAT - file CrunchRAT.exe;https://github.com/t3ntman/CrunchRAT;2017-11-03 00:00:00;70;Florian Roth;MAL,EXE,FILE +Datper_Backdoor;Detects Datper Malware;http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html;2017-08-21 00:00:00;70;Florian Roth;MAL,EXE,FILE susp_file_enumerator_with_encrypted_resource_101;Generic detection for samples that enumerate files with encrypted resource called 101;https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/;1970-01-01 01:00:00;70;-;EXTVAR,GEN,FILE StoneDrill_main_sub;Rule to detect StoneDrill (decrypted) samples;https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/;1970-01-01 01:00:00;70;Kaspersky Lab;MIDDLE_EAST,FILE StoneDrill_BAT_1;Rule to detect Batch file from StoneDrill report;https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/;1970-01-01 01:00:00;70;Florian Roth;MIDDLE_EAST,FILE StoneDrill_Service_Install;Rule to detect Batch file from StoneDrill report;https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/;1970-01-01 01:00:00;70;Florian Roth;MIDDLE_EAST -StoneDrill_ntssrvr32;Detects malware from StoneDrill threat report;https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/;2017-03-07 00:00:00;70;Florian Roth;MIDDLE_EAST,FILE,EXE -StoneDrill_Malware_2;Detects malware from StoneDrill threat report;https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/;2017-03-07 00:00:00;70;Florian Roth;MIDDLE_EAST,MAL,FILE,EXE -StoneDrill;Detects malware from StoneDrill threat report;https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/;2017-03-07 00:00:00;70;Florian Roth;MIDDLE_EAST,FILE,EXE +StoneDrill_ntssrvr32;Detects malware from StoneDrill threat report;https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/;2017-03-07 00:00:00;70;Florian Roth;EXE,MIDDLE_EAST,FILE +StoneDrill_Malware_2;Detects malware from StoneDrill threat report;https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/;2017-03-07 00:00:00;70;Florian Roth;MAL,EXE,MIDDLE_EAST,FILE +StoneDrill;Detects malware from StoneDrill threat report;https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/;2017-03-07 00:00:00;70;Florian Roth;EXE,MIDDLE_EAST,FILE StoneDrill_VBS_1;Detects malware from StoneDrill threat report;https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/;2017-03-07 00:00:00;70;Florian Roth;SCRIPT,MIDDLE_EAST -PUP_FancyBear_ComputraceAgent;Absolute Computrace Agent Executable;https://asert.arbornetworks.com/lojack-becomes-a-double-agent/;2018-05-01 00:00:00;70;ASERT - Arbor Networks (slightly modified by Florian Roth);FILE,EXE +PUP_FancyBear_ComputraceAgent;Absolute Computrace Agent Executable;https://asert.arbornetworks.com/lojack-becomes-a-double-agent/;2018-05-01 00:00:00;70;ASERT - Arbor Networks (slightly modified by Florian Roth);EXE,FILE Payload_Exe2Hex;Detects payload generated by exe2hex;https://github.com/g0tmi1k/exe2hex;2016-01-15 00:00:00;70;Florian Roth; -MiniDionis_readerView;MiniDionis Malware - file readerView.exe / adobe.exe;http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950;2015-07-20 00:00:00;70;Florian Roth;MAL,FILE,EXE +MiniDionis_readerView;MiniDionis Malware - file readerView.exe / adobe.exe;http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950;2015-07-20 00:00:00;70;Florian Roth;MAL,EXE,FILE Malicious_SFX1;SFX with voicemail content;http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950;2015-07-20 00:00:00;70;Florian Roth;FILE -Malicious_SFX2;SFX with adobe.exe content;http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950;2015-07-20 00:00:00;70;Florian Roth;FILE,EXE +Malicious_SFX2;SFX with adobe.exe content;http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950;2015-07-20 00:00:00;70;Florian Roth;EXE,FILE MiniDionis_VBS_Dropped;Dropped File - 1.vbs;https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/;2015-07-21 00:00:00;70;Florian Roth;SCRIPT -MAL_OSX_FancyBear_Agent_Jul18_1;Detects FancyBear Agent for OSX;https://twitter.com/DrunkBinary/status/1018448895054098432;2018-07-15 00:00:00;70;Florian Roth;FILE,RUSSIA,MACOS -RottenPotato_Potato;Detects a component of privilege escalation tool Rotten Potato - file Potato.exe;https://github.com/foxglovesec/RottenPotato;2017-02-07 00:00:00;90;Florian Roth;FILE,EXE -KasperMalware_Oct17_1;Detects Kasper Backdoor;Internal Research;2017-10-24 00:00:00;70;Florian Roth;MAL,FILE,EXE -OSX_backdoor_Bella;Bella MacOS/OSX backdoor;https://twitter.com/JohnLaTwC/status/911998777182924801;2018-02-23 00:00:00;70;John Lambert @JohnLaTwC;EXTVAR,MAL,MACOS +MAL_OSX_FancyBear_Agent_Jul18_1;Detects FancyBear Agent for OSX;https://twitter.com/DrunkBinary/status/1018448895054098432;2018-07-15 00:00:00;70;Florian Roth;MACOS,RUSSIA,FILE +RottenPotato_Potato;Detects a component of privilege escalation tool Rotten Potato - file Potato.exe;https://github.com/foxglovesec/RottenPotato;2017-02-07 00:00:00;90;Florian Roth;EXE,FILE +KasperMalware_Oct17_1;Detects Kasper Backdoor;Internal Research;2017-10-24 00:00:00;70;Florian Roth;MAL,EXE,FILE +OSX_backdoor_Bella;Bella MacOS/OSX backdoor;https://twitter.com/JohnLaTwC/status/911998777182924801;2018-02-23 00:00:00;70;John Lambert @JohnLaTwC;MAL,MACOS,EXTVAR TA459_Malware_May17_1;Detects TA459 related malware;https://goo.gl/RLf9qU;2017-05-31 00:00:00;70;Florian Roth;MAL,FILE -TA459_Malware_May17_2;Detects TA459 related malware;https://goo.gl/RLf9qU;2017-05-31 00:00:00;70;Florian Roth;MAL,FILE,EXE -apt_nix_elf_derusbi;Detects Derusbi Backdoor ELF;https://github.com/fideliscyber/indicators/tree/master/FTA-1021;2016-02-29 00:00:00;70;Fidelis Cybersecurity;MAL,FILE,LINUX -apt_nix_elf_derusbi_kernelModule;Detects Derusbi Backdoor ELF Kernel Module;https://github.com/fideliscyber/indicators/tree/master/FTA-1021;2016-02-29 00:00:00;70;Fidelis Cybersecurity;MAL,FILE,LINUX -apt_nix_elf_Derusbi_Linux_SharedMemCreation;Detects Derusbi Backdoor ELF Shared Memory Creation;https://github.com/fideliscyber/indicators/tree/master/FTA-1021;2016-02-29 00:00:00;70;Fidelis Cybersecurity;MAL,FILE,LINUX -apt_nix_elf_Derusbi_Linux_Strings;Detects Derusbi Backdoor ELF Strings;https://github.com/fideliscyber/indicators/tree/master/FTA-1021;2016-02-29 00:00:00;70;Fidelis Cybersecurity;MAL,FILE,LINUX +TA459_Malware_May17_2;Detects TA459 related malware;https://goo.gl/RLf9qU;2017-05-31 00:00:00;70;Florian Roth;MAL,EXE,FILE +apt_nix_elf_derusbi;Detects Derusbi Backdoor ELF;https://github.com/fideliscyber/indicators/tree/master/FTA-1021;2016-02-29 00:00:00;70;Fidelis Cybersecurity;MAL,LINUX,FILE +apt_nix_elf_derusbi_kernelModule;Detects Derusbi Backdoor ELF Kernel Module;https://github.com/fideliscyber/indicators/tree/master/FTA-1021;2016-02-29 00:00:00;70;Fidelis Cybersecurity;MAL,LINUX,FILE +apt_nix_elf_Derusbi_Linux_SharedMemCreation;Detects Derusbi Backdoor ELF Shared Memory Creation;https://github.com/fideliscyber/indicators/tree/master/FTA-1021;2016-02-29 00:00:00;70;Fidelis Cybersecurity;MAL,LINUX,FILE +apt_nix_elf_Derusbi_Linux_Strings;Detects Derusbi Backdoor ELF Strings;https://github.com/fideliscyber/indicators/tree/master/FTA-1021;2016-02-29 00:00:00;70;Fidelis Cybersecurity;MAL,LINUX,FILE apt_win_exe_trojan_derusbi;Detects Derusbi Backdoor Win32;https://github.com/fideliscyber/indicators/tree/master/FTA-1021;2016-02-29 00:00:00;70;Fidelis Cybersecurity;MAL,FILE -APT_Lazarus_Aug18_Downloader_1;Detects Lazarus Group Malware Downloadery;https://securelist.com/operation-applejeus/87553/;2018-08-24 00:00:00;70;Florian Roth;NK,MAL,FILE,EXE -APT_Lazarus_Aug18_1;Detects Lazarus Group Malware;https://securelist.com/operation-applejeus/87553/;2018-08-24 00:00:00;70;Florian Roth;NK,MAL,FILE,EXE -APT_Lazarus_Aug18_2;Detects Lazarus Group Malware;https://securelist.com/operation-applejeus/87553/;2018-08-24 00:00:00;70;Florian Roth;NK,MAL,FILE,EXE -APT_FallChill_RC4_Keys;Detects FallChill RC4 keys;https://securelist.com/operation-applejeus/87553/;2018-08-21 00:00:00;70;Florian Roth;FILE,EXE -ReflectiveLoader;Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended;Internal Research;1970-01-01 01:00:00;60;-;FILE,EXE -Reflective_DLL_Loader_Aug17_1;Detects Reflective DLL Loader;Internal Research;2017-08-20 00:00:00;70;Florian Roth;FILE,EXE -DLL_Injector_Lynx;Detects Lynx DLL Injector;Internal Research;2017-08-20 00:00:00;70;Florian Roth;HKTL,FILE,EXE -Reflective_DLL_Loader_Aug17_2;Detects Reflective DLL Loader - suspicious - Possible FP could be program crack;Internal Research;2017-08-20 00:00:00;60;Florian Roth;FILE,EXE -Reflective_DLL_Loader_Aug17_3;Detects Reflective DLL Loader;Internal Research;2017-08-20 00:00:00;70;Florian Roth;FILE,EXE -Reflective_DLL_Loader_Aug17_4;Detects Reflective DLL Loader;Internal Research;2017-08-20 00:00:00;70;Florian Roth;FILE,EXE +APT_Lazarus_Aug18_Downloader_1;Detects Lazarus Group Malware Downloadery;https://securelist.com/operation-applejeus/87553/;2018-08-24 00:00:00;70;Florian Roth;MAL,EXE,NK,FILE +APT_Lazarus_Aug18_1;Detects Lazarus Group Malware;https://securelist.com/operation-applejeus/87553/;2018-08-24 00:00:00;70;Florian Roth;MAL,EXE,NK,FILE +APT_Lazarus_Aug18_2;Detects Lazarus Group Malware;https://securelist.com/operation-applejeus/87553/;2018-08-24 00:00:00;70;Florian Roth;MAL,EXE,NK,FILE +APT_FallChill_RC4_Keys;Detects FallChill RC4 keys;https://securelist.com/operation-applejeus/87553/;2018-08-21 00:00:00;70;Florian Roth;EXE,FILE +ReflectiveLoader;Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended;Internal Research;1970-01-01 01:00:00;60;-;EXE,FILE +Reflective_DLL_Loader_Aug17_1;Detects Reflective DLL Loader;Internal Research;2017-08-20 00:00:00;70;Florian Roth;EXE,FILE +DLL_Injector_Lynx;Detects Lynx DLL Injector;Internal Research;2017-08-20 00:00:00;70;Florian Roth;EXE,HKTL,FILE +Reflective_DLL_Loader_Aug17_2;Detects Reflective DLL Loader - suspicious - Possible FP could be program crack;Internal Research;2017-08-20 00:00:00;60;Florian Roth;EXE,FILE +Reflective_DLL_Loader_Aug17_3;Detects Reflective DLL Loader;Internal Research;2017-08-20 00:00:00;70;Florian Roth;EXE,FILE +Reflective_DLL_Loader_Aug17_4;Detects Reflective DLL Loader;Internal Research;2017-08-20 00:00:00;70;Florian Roth;EXE,FILE ps1_toolkit_PowerUp;Auto-generated rule - file PowerUp.ps1;https://github.com/vysec/ps1-toolkit;2016-09-04 00:00:00;80;Florian Roth;FILE ps1_toolkit_Inveigh_BruteForce;Auto-generated rule - file Inveigh-BruteForce.ps1;https://github.com/vysec/ps1-toolkit;2016-09-04 00:00:00;80;Florian Roth;FILE ps1_toolkit_Invoke_Shellcode;Auto-generated rule - file Invoke-Shellcode.ps1;https://github.com/vysec/ps1-toolkit;2016-09-04 00:00:00;80;Florian Roth;FILE @@ -1939,168 +1940,168 @@ ps1_toolkit_Inveigh_BruteForce_2;Auto-generated rule - from files Inveigh-BruteF ps1_toolkit_PowerUp_2;Auto-generated rule - from files PowerUp.ps1;https://github.com/vysec/ps1-toolkit;2016-09-04 00:00:00;80;Florian Roth;FILE ps1_toolkit_Persistence_2;Auto-generated rule - from files Persistence.ps1;https://github.com/vysec/ps1-toolkit;2016-09-04 00:00:00;80;Florian Roth;FILE ps1_toolkit_Inveigh_BruteForce_3;Auto-generated rule - from files Inveigh-BruteForce.ps1;https://github.com/vysec/ps1-toolkit;2016-09-04 00:00:00;80;Florian Roth;FILE -turla_png_dropper;Detects the PNG Dropper used by the Turla group;https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/;2018-11-23 00:00:00;70;Ben Humphrey;MAL,FILE,RUSSIA -turla_png_reg_enum_payload;Payload that has most recently been dropped by the Turla PNG Dropper;https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/;2018-11-23 00:00:00;70;Ben Humphrey;MAL,FILE,RUSSIA -apt28_win_zebrocy_golang_loader_modified;Detects unpacked modified APT28/Sofacy Zebrocy Golang.;https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html;2018-12-25 00:00:00;70;@VK_Intel;RUSSIA,APT,FILE,EXE -PowerShell_Suite_Hacktools_Gen_Strings;Detects strings from scripts in the PowerShell-Suite repo;https://github.com/FuzzySecurity/PowerShell-Suite;2017-12-27 00:00:00;70;Florian Roth;SCRIPT,GEN +turla_png_dropper;Detects the PNG Dropper used by the Turla group;https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/;2018-11-23 00:00:00;70;Ben Humphrey;MAL,RUSSIA,FILE +turla_png_reg_enum_payload;Payload that has most recently been dropped by the Turla PNG Dropper;https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/;2018-11-23 00:00:00;70;Ben Humphrey;MAL,RUSSIA,FILE +apt28_win_zebrocy_golang_loader_modified;Detects unpacked modified APT28/Sofacy Zebrocy Golang.;https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html;2018-12-25 00:00:00;70;@VK_Intel;EXE,APT,RUSSIA,FILE +PowerShell_Suite_Hacktools_Gen_Strings;Detects strings from scripts in the PowerShell-Suite repo;https://github.com/FuzzySecurity/PowerShell-Suite;2017-12-27 00:00:00;70;Florian Roth;GEN,SCRIPT PowerShell_Suite_Eidolon;Detects PowerShell Suite Eidolon script - file Start-Eidolon.ps1;https://github.com/FuzzySecurity/PowerShell-Suite;2017-12-27 00:00:00;70;Florian Roth;SCRIPT,FILE -CorkowDLL;Rule to detect the Corkow DLL files;-;2016-02-05 00:00:00;70;Group IB;FILE,EXE -MyWScript_CompiledScript;Detects a scripte with default name Mywscript compiled with Script2Exe (can also be a McAfee tool https://community.mcafee.com/docs/DOC-4124);Internal Research;2017-07-27 00:00:00;65;Florian Roth;FILE,EXE -CN_Honker_MAC_IPMAC;Sample from CN Honker Pentest Toolset - file IPMAC.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_GetSyskey;Sample from CN Honker Pentest Toolset - file GetSyskey.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Churrasco;Sample from CN Honker Pentest Toolset - file Churrasco.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_mysql_injectV1_1_Creak;Sample from CN Honker Pentest Toolset - file mysql_injectV1.1_Creak.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE +CorkowDLL;Rule to detect the Corkow DLL files;-;2016-02-05 00:00:00;70;Group IB;EXE,FILE +MyWScript_CompiledScript;Detects a scripte with default name Mywscript compiled with Script2Exe (can also be a McAfee tool https://community.mcafee.com/docs/DOC-4124);Internal Research;2017-07-27 00:00:00;65;Florian Roth;EXE,FILE +CN_Honker_MAC_IPMAC;Sample from CN Honker Pentest Toolset - file IPMAC.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_GetSyskey;Sample from CN Honker Pentest Toolset - file GetSyskey.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Churrasco;Sample from CN Honker Pentest Toolset - file Churrasco.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_mysql_injectV1_1_Creak;Sample from CN Honker Pentest Toolset - file mysql_injectV1.1_Creak.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE CN_Honker_ASP_wshell;Sample from CN Honker Pentest Toolset - file wshell.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE -CN_Honker_exp_iis7;Sample from CN Honker Pentest Toolset - file iis7.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_SegmentWeapon;Sample from CN Honker Pentest Toolset - file SegmentWeapon.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE +CN_Honker_exp_iis7;Sample from CN Honker Pentest Toolset - file iis7.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_SegmentWeapon;Sample from CN Honker Pentest Toolset - file SegmentWeapon.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE CN_Honker_Alien_iispwd;Sample from CN Honker Pentest Toolset - file iispwd.vbs;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth; -CN_Honker_Md5CrackTools;Sample from CN Honker Pentest Toolset - file Md5CrackTools.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_CoolScan_scan;Sample from CN Honker Pentest Toolset - file scan.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE +CN_Honker_Md5CrackTools;Sample from CN Honker Pentest Toolset - file Md5CrackTools.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_CoolScan_scan;Sample from CN Honker Pentest Toolset - file scan.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE CN_Honker_mempodipper2_6;Sample from CN Honker Pentest Toolset - file mempodipper2.6.39;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth; -CN_Honker_COOKIE_CooKie;Sample from CN Honker Pentest Toolset - file CooKie.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_wwwscan_1_wwwscan;Sample from CN Honker Pentest Toolset - file wwwscan.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_D_injection_V2_32;Sample from CN Honker Pentest Toolset - file D_injection_V2.32.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_net_priv_esc2;Sample from CN Honker Pentest Toolset - file net-priv-esc2.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Oracle_v1_0_Oracle;Sample from CN Honker Pentest Toolset - file Oracle.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Interception;Sample from CN Honker Pentest Toolset - file Interception.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0;Sample from CN Honker Pentest Toolset - file 3.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_windows_exp;Sample from CN Honker Pentest Toolset - file exp.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_safe3wvs_cgiscan;Sample from CN Honker Pentest Toolset - file cgiscan.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_pr_debug;Sample from CN Honker Pentest Toolset - file debug.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_T00ls_Lpk_Sethc_v4_0;Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_MatriXay1073;Sample from CN Honker Pentest Toolset - file MatriXay1073.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Sword1_5;Sample from CN Honker Pentest Toolset - file Sword1.5.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Havij_Havij;Sample from CN Honker Pentest Toolset - file Havij.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_exp_ms11011;Sample from CN Honker Pentest Toolset - file ms11011.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_DLL_passive_privilege_escalation_ws2help;Sample from CN Honker Pentest Toolset - file ws2help.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Webshell;Sample from CN Honker Pentest Toolset - file Webshell.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL,FILE,EXE -CN_Honker_AspxClient;Sample from CN Honker Pentest Toolset - file AspxClient.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Fckeditor;Sample from CN Honker Pentest Toolset - file Fckeditor.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Codeeer_Explorer;Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_SwordHonkerEdition;Sample from CN Honker Pentest Toolset - file SwordHonkerEdition.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_HASH_PwDump7;Sample from CN Honker Pentest Toolset - file PwDump7.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;HKTL,FILE,EXE -CN_Honker_ChinaChopper;Sample from CN Honker Pentest Toolset - file ChinaChopper.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;CHINA,FILE,EXE -CN_Honker_dedecms5_7;Sample from CN Honker Pentest Toolset - file dedecms5.7.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Alien_ee;Sample from CN Honker Pentest Toolset - file ee.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_smsniff_smsniff;Sample from CN Honker Pentest Toolset - file smsniff.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Happy_Happy;Sample from CN Honker Pentest Toolset - file Happy.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_T00ls_Lpk_Sethc_v3_0;Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_NetFuke_NetFuke;Sample from CN Honker Pentest Toolset - file NetFuke.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_ManualInjection;Sample from CN Honker Pentest Toolset - file ManualInjection.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;HKTL,FILE,EXE -CN_Honker_CnCerT_CCdoor_CMD;Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_termsrvhack;Sample from CN Honker Pentest Toolset - file termsrvhack.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_IIS6_iis6;Sample from CN Honker Pentest Toolset - file iis6.com;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_struts2_catbox;Sample from CN Honker Pentest Toolset - file catbox.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_getlsasrvaddr;Sample from CN Honker Pentest Toolset - file getlsasrvaddr.exe - WCE Amplia Security;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_ms10048_x64;Sample from CN Honker Pentest Toolset - file ms10048-x64.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_LogCleaner;Sample from CN Honker Pentest Toolset - file LogCleaner.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_shell_brute_tool;Sample from CN Honker Pentest Toolset - file shell_brute_tool.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_hxdef100;Sample from CN Honker Pentest Toolset - file hxdef100.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Arp_EMP_v1_0;Sample from CN Honker Pentest Toolset - file Arp EMP v1.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_GetWebShell;Sample from CN Honker Pentest Toolset - file GetWebShell.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Cracker_SHELL;Sample from CN Honker Pentest Toolset - file SHELL.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_MSTSC_can_direct_copy;Sample from CN Honker Pentest Toolset - file MSTSC_can_direct_copy.EXE;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_lcx_lcx;Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_PostgreSQL;Sample from CN Honker Pentest Toolset - file PostgreSQL.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_WebRobot;Sample from CN Honker Pentest Toolset - file WebRobot.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Baidu_Extractor_Ver1_0;Sample from CN Honker Pentest Toolset - file Baidu_Extractor_Ver1.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_FTP_scanning;Sample from CN Honker Pentest Toolset - file FTP_scanning.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_dirdown_dirdown;Sample from CN Honker Pentest Toolset - file dirdown.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Xiaokui_conversion_tool;Sample from CN Honker Pentest Toolset - file Xiaokui_conversion_tool.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_GroupPolicyRemover;Sample from CN Honker Pentest Toolset - file GroupPolicyRemover.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_WordpressScanner;Sample from CN Honker Pentest Toolset - file WordpressScanner.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;HKTL,OFFICE,FILE,EXE -CN_Honker_Htran_V2_40_htran20;Sample from CN Honker Pentest Toolset - file htran20.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_DictionaryGenerator;Sample from CN Honker Pentest Toolset - file DictionaryGenerator.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;GEN,FILE,EXE -CN_Honker_ms11080_withcmd;Sample from CN Honker Pentest Toolset - file ms11080_withcmd.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_T00ls_Lpk_Sethc_v2;Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_HASH_32;Sample from CN Honker Pentest Toolset - file 32.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_windows_mstsc_enhanced_RMDSTC;Sample from CN Honker Pentest Toolset - file RMDSTC.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_sig_3389_mstsc_MSTSCAX;Sample from CN Honker Pentest Toolset - file MSTSCAX.DLL;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_T00ls_scanner;Sample from CN Honker Pentest Toolset - file T00ls_scanner.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_GetHashes;Sample from CN Honker Pentest Toolset - file GetHashes.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_hashq_Hashq;Sample from CN Honker Pentest Toolset - file Hashq.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_ShiftBackdoor_Server;Sample from CN Honker Pentest Toolset - file Server.dat;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_exp_win2003;Sample from CN Honker Pentest Toolset - file win2003.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Interception3389_setup;Sample from CN Honker Pentest Toolset - file setup.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_CnCerT_CCdoor_CMD_2;Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll2;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_exp_ms11046;Sample from CN Honker Pentest Toolset - file ms11046.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Master_beta_1_7;Sample from CN Honker Pentest Toolset - file Master_beta_1.7.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_F4ck_Team_f4ck_2;Sample from CN Honker Pentest Toolset - file f4ck_2.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_sig_3389_80_AntiFW;Sample from CN Honker Pentest Toolset - file AntiFW.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_wwwscan_gui;Sample from CN Honker Pentest Toolset - file wwwscan_gui.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_SwordCollEdition;Sample from CN Honker Pentest Toolset - file SwordCollEdition.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_HconSTFportable;Sample from CN Honker Pentest Toolset - file HconSTFportable.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_T00ls_Lpk_Sethc_v3_LPK;Sample from CN Honker Pentest Toolset - file LPK.DAT;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Without_a_trace_Wywz;Sample from CN Honker Pentest Toolset - file Wywz.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_LPK2_0_LPK;Sample from CN Honker Pentest Toolset - file LPK.DAT;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_cleaniis;Sample from CN Honker Pentest Toolset - file cleaniis.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_arp3_7_arp3_7;Sample from CN Honker Pentest Toolset - file arp3.7.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_exp_ms11080;Sample from CN Honker Pentest Toolset - file ms11080.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Injection_transit;Sample from CN Honker Pentest Toolset - file Injection_transit.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;HKTL,FILE,EXE -CN_Honker_Safe3WVS;Sample from CN Honker Pentest Toolset - file Safe3WVS.EXE;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_NBSI_3_0;Sample from CN Honker Pentest Toolset - file NBSI 3.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_sig_3389_DUBrute_v3_0_RC3_2_0;Sample from CN Honker Pentest Toolset - file 2.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_hkmjjiis6;Sample from CN Honker Pentest Toolset - file hkmjjiis6.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_clearlogs;Sample from CN Honker Pentest Toolset - file clearlogs.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_no_net_priv_esc_AddUser;Sample from CN Honker Pentest Toolset - file AddUser.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Injection;Sample from CN Honker Pentest Toolset - file Injection.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;HKTL,FILE,EXE -CN_Honker_SQLServer_inject_Creaked;Sample from CN Honker Pentest Toolset - file SQLServer_inject_Creaked.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_WebScan_WebScan;Sample from CN Honker Pentest Toolset - file WebScan.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_GetHashes_2;Sample from CN Honker Pentest Toolset - file GetHashes.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen;Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;HKTL,GEN,FILE,EXE +CN_Honker_COOKIE_CooKie;Sample from CN Honker Pentest Toolset - file CooKie.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_wwwscan_1_wwwscan;Sample from CN Honker Pentest Toolset - file wwwscan.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_D_injection_V2_32;Sample from CN Honker Pentest Toolset - file D_injection_V2.32.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_net_priv_esc2;Sample from CN Honker Pentest Toolset - file net-priv-esc2.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Oracle_v1_0_Oracle;Sample from CN Honker Pentest Toolset - file Oracle.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Interception;Sample from CN Honker Pentest Toolset - file Interception.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0;Sample from CN Honker Pentest Toolset - file 3.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_windows_exp;Sample from CN Honker Pentest Toolset - file exp.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_safe3wvs_cgiscan;Sample from CN Honker Pentest Toolset - file cgiscan.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_pr_debug;Sample from CN Honker Pentest Toolset - file debug.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_T00ls_Lpk_Sethc_v4_0;Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_MatriXay1073;Sample from CN Honker Pentest Toolset - file MatriXay1073.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Sword1_5;Sample from CN Honker Pentest Toolset - file Sword1.5.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Havij_Havij;Sample from CN Honker Pentest Toolset - file Havij.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_exp_ms11011;Sample from CN Honker Pentest Toolset - file ms11011.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_DLL_passive_privilege_escalation_ws2help;Sample from CN Honker Pentest Toolset - file ws2help.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Webshell;Sample from CN Honker Pentest Toolset - file Webshell.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;WEBSHELL,EXE,FILE +CN_Honker_AspxClient;Sample from CN Honker Pentest Toolset - file AspxClient.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Fckeditor;Sample from CN Honker Pentest Toolset - file Fckeditor.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Codeeer_Explorer;Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_SwordHonkerEdition;Sample from CN Honker Pentest Toolset - file SwordHonkerEdition.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_HASH_PwDump7;Sample from CN Honker Pentest Toolset - file PwDump7.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,HKTL,FILE +CN_Honker_ChinaChopper;Sample from CN Honker Pentest Toolset - file ChinaChopper.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,CHINA,FILE +CN_Honker_dedecms5_7;Sample from CN Honker Pentest Toolset - file dedecms5.7.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Alien_ee;Sample from CN Honker Pentest Toolset - file ee.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_smsniff_smsniff;Sample from CN Honker Pentest Toolset - file smsniff.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Happy_Happy;Sample from CN Honker Pentest Toolset - file Happy.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_T00ls_Lpk_Sethc_v3_0;Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_NetFuke_NetFuke;Sample from CN Honker Pentest Toolset - file NetFuke.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_ManualInjection;Sample from CN Honker Pentest Toolset - file ManualInjection.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,HKTL,FILE +CN_Honker_CnCerT_CCdoor_CMD;Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_termsrvhack;Sample from CN Honker Pentest Toolset - file termsrvhack.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_IIS6_iis6;Sample from CN Honker Pentest Toolset - file iis6.com;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_struts2_catbox;Sample from CN Honker Pentest Toolset - file catbox.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_getlsasrvaddr;Sample from CN Honker Pentest Toolset - file getlsasrvaddr.exe - WCE Amplia Security;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_ms10048_x64;Sample from CN Honker Pentest Toolset - file ms10048-x64.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_LogCleaner;Sample from CN Honker Pentest Toolset - file LogCleaner.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_shell_brute_tool;Sample from CN Honker Pentest Toolset - file shell_brute_tool.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_hxdef100;Sample from CN Honker Pentest Toolset - file hxdef100.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Arp_EMP_v1_0;Sample from CN Honker Pentest Toolset - file Arp EMP v1.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_GetWebShell;Sample from CN Honker Pentest Toolset - file GetWebShell.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Cracker_SHELL;Sample from CN Honker Pentest Toolset - file SHELL.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_MSTSC_can_direct_copy;Sample from CN Honker Pentest Toolset - file MSTSC_can_direct_copy.EXE;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_lcx_lcx;Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_PostgreSQL;Sample from CN Honker Pentest Toolset - file PostgreSQL.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_WebRobot;Sample from CN Honker Pentest Toolset - file WebRobot.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Baidu_Extractor_Ver1_0;Sample from CN Honker Pentest Toolset - file Baidu_Extractor_Ver1.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_FTP_scanning;Sample from CN Honker Pentest Toolset - file FTP_scanning.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_dirdown_dirdown;Sample from CN Honker Pentest Toolset - file dirdown.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Xiaokui_conversion_tool;Sample from CN Honker Pentest Toolset - file Xiaokui_conversion_tool.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_GroupPolicyRemover;Sample from CN Honker Pentest Toolset - file GroupPolicyRemover.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_WordpressScanner;Sample from CN Honker Pentest Toolset - file WordpressScanner.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,OFFICE,HKTL,FILE +CN_Honker_Htran_V2_40_htran20;Sample from CN Honker Pentest Toolset - file htran20.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_DictionaryGenerator;Sample from CN Honker Pentest Toolset - file DictionaryGenerator.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;GEN,EXE,FILE +CN_Honker_ms11080_withcmd;Sample from CN Honker Pentest Toolset - file ms11080_withcmd.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_T00ls_Lpk_Sethc_v2;Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_HASH_32;Sample from CN Honker Pentest Toolset - file 32.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_windows_mstsc_enhanced_RMDSTC;Sample from CN Honker Pentest Toolset - file RMDSTC.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_sig_3389_mstsc_MSTSCAX;Sample from CN Honker Pentest Toolset - file MSTSCAX.DLL;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_T00ls_scanner;Sample from CN Honker Pentest Toolset - file T00ls_scanner.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_GetHashes;Sample from CN Honker Pentest Toolset - file GetHashes.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_hashq_Hashq;Sample from CN Honker Pentest Toolset - file Hashq.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_ShiftBackdoor_Server;Sample from CN Honker Pentest Toolset - file Server.dat;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_exp_win2003;Sample from CN Honker Pentest Toolset - file win2003.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Interception3389_setup;Sample from CN Honker Pentest Toolset - file setup.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_CnCerT_CCdoor_CMD_2;Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll2;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_exp_ms11046;Sample from CN Honker Pentest Toolset - file ms11046.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Master_beta_1_7;Sample from CN Honker Pentest Toolset - file Master_beta_1.7.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_F4ck_Team_f4ck_2;Sample from CN Honker Pentest Toolset - file f4ck_2.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_sig_3389_80_AntiFW;Sample from CN Honker Pentest Toolset - file AntiFW.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_wwwscan_gui;Sample from CN Honker Pentest Toolset - file wwwscan_gui.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_SwordCollEdition;Sample from CN Honker Pentest Toolset - file SwordCollEdition.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_HconSTFportable;Sample from CN Honker Pentest Toolset - file HconSTFportable.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_T00ls_Lpk_Sethc_v3_LPK;Sample from CN Honker Pentest Toolset - file LPK.DAT;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Without_a_trace_Wywz;Sample from CN Honker Pentest Toolset - file Wywz.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_LPK2_0_LPK;Sample from CN Honker Pentest Toolset - file LPK.DAT;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_cleaniis;Sample from CN Honker Pentest Toolset - file cleaniis.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_arp3_7_arp3_7;Sample from CN Honker Pentest Toolset - file arp3.7.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_exp_ms11080;Sample from CN Honker Pentest Toolset - file ms11080.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Injection_transit;Sample from CN Honker Pentest Toolset - file Injection_transit.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,HKTL,FILE +CN_Honker_Safe3WVS;Sample from CN Honker Pentest Toolset - file Safe3WVS.EXE;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_NBSI_3_0;Sample from CN Honker Pentest Toolset - file NBSI 3.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_sig_3389_DUBrute_v3_0_RC3_2_0;Sample from CN Honker Pentest Toolset - file 2.0.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_hkmjjiis6;Sample from CN Honker Pentest Toolset - file hkmjjiis6.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_clearlogs;Sample from CN Honker Pentest Toolset - file clearlogs.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_no_net_priv_esc_AddUser;Sample from CN Honker Pentest Toolset - file AddUser.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Injection;Sample from CN Honker Pentest Toolset - file Injection.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,HKTL,FILE +CN_Honker_SQLServer_inject_Creaked;Sample from CN Honker Pentest Toolset - file SQLServer_inject_Creaked.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_WebScan_WebScan;Sample from CN Honker Pentest Toolset - file WebScan.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_GetHashes_2;Sample from CN Honker Pentest Toolset - file GetHashes.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen;Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;GEN,EXE,HKTL,FILE CN_Honker_Tuoku_script_oracle_2;Sample from CN Honker Pentest Toolset - file oracle.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth; -CN_Honker_net_packet_capt;Sample from CN Honker Pentest Toolset - file net_packet_capt.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_CleanIISLog;Sample from CN Honker Pentest Toolset - file CleanIISLog.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_HASH_pwhash;Sample from CN Honker Pentest Toolset - file pwhash.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_cleaner_cl_2;Sample from CN Honker Pentest Toolset - file cl.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_SqlMap_Python_Run;Sample from CN Honker Pentest Toolset - file Run.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;SCRIPT,FILE,EXE -CN_Honker_SAMInside;Sample from CN Honker Pentest Toolset - file SAMInside.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_WebScan_wwwscan;Sample from CN Honker Pentest Toolset - file wwwscan.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_sig_3389_2_3389;Sample from CN Honker Pentest Toolset - file 3389.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE +CN_Honker_net_packet_capt;Sample from CN Honker Pentest Toolset - file net_packet_capt.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_CleanIISLog;Sample from CN Honker Pentest Toolset - file CleanIISLog.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_HASH_pwhash;Sample from CN Honker Pentest Toolset - file pwhash.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_cleaner_cl_2;Sample from CN Honker Pentest Toolset - file cl.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_SqlMap_Python_Run;Sample from CN Honker Pentest Toolset - file Run.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,SCRIPT,FILE +CN_Honker_SAMInside;Sample from CN Honker Pentest Toolset - file SAMInside.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_WebScan_wwwscan;Sample from CN Honker Pentest Toolset - file wwwscan.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_sig_3389_2_3389;Sample from CN Honker Pentest Toolset - file 3389.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE CN_Honker_PHP_php11;Sample from CN Honker Pentest Toolset - file php11.txt;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth; -CN_Honker_WebCruiserWVS;Sample from CN Honker Pentest Toolset - file WebCruiserWVS.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Hookmsgina;Sample from CN Honker Pentest Toolset - file Hookmsgina.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_sig_3389_xp3389;Sample from CN Honker Pentest Toolset - file xp3389.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_CookiesView;Sample from CN Honker Pentest Toolset - file CookiesView.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_T00ls_Lpk_Sethc_v4_LPK;Sample from CN Honker Pentest Toolset - file LPK.DAT;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_ScanHistory;Sample from CN Honker Pentest Toolset - file ScanHistory.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_InvasionErasor;Sample from CN Honker Pentest Toolset - file InvasionErasor.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_super_Injection1;Sample from CN Honker Pentest Toolset - file super Injection1.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;HKTL,FILE,EXE -CN_Honker_Pk_Pker;Sample from CN Honker Pentest Toolset - file Pker.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_GetPass_GetPass;Sample from CN Honker Pentest Toolset - file GetPass.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_F4ck_Team_f4ck_3;Sample from CN Honker Pentest Toolset - file f4ck.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_F4ck_Team_F4ck_3;Sample from CN Honker Pentest Toolset - file F4ck_3.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_ACCESS_brute;Sample from CN Honker Pentest Toolset - file ACCESS_brute.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_Fpipe_FPipe;Sample from CN Honker Pentest Toolset - file FPipe.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;50;Florian Roth;FILE,EXE -CN_Honker_Layer_Layer;Sample from CN Honker Pentest Toolset - file Layer.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_ms10048_x86;Sample from CN Honker Pentest Toolset - file ms10048-x86.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_HTran2_4;Sample from CN Honker Pentest Toolset - file HTran2.4.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker_SkinHRootkit_SkinH;Sample from CN Honker Pentest Toolset - file SkinH.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker__PostgreSQL_mysql_injectV1_1_Creak_Oracle_SQLServer_inject_Creaked;Sample from CN Honker Pentest Toolset;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker__wwwscan_wwwscan_wwwscan_gui;Sample from CN Honker Pentest Toolset - from files wwwscan.exe, wwwscan.exe, wwwscan_gui.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker__LPK_LPK_LPK;Sample from CN Honker Pentest Toolset - from files LPK.DAT, LPK.DAT, LPK.DAT;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker__builder_shift_SkinH;Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker__lcx_HTran2_4_htran20;Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -CN_Honker__D_injection_V2_32_D_injection_V2_32_D_injection_V2_32;Sample from CN Honker Pentest Toolset - from files D_injection_V2.32.exe, D_injection_V2.32.exe, D_injection_V2.32.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;FILE,EXE -bin_ndisk;Hacking Team Disclosure Sample - file ndisk.sys;https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/;2015-07-07 00:00:00;100;Florian Roth;FILE,EXE -Hackingteam_Elevator_DLL;Hacking Team Disclosure Sample - file elevator.dll;http://t.co/EG0qtVcKLh;2015-07-07 00:00:00;70;Florian Roth;FILE,EXE -HackingTeam_Elevator_EXE;Hacking Team Disclosure Sample - file elevator.exe;Hacking Team Disclosure elevator.c;2015-07-07 00:00:00;70;Florian Roth;FILE,EXE +CN_Honker_WebCruiserWVS;Sample from CN Honker Pentest Toolset - file WebCruiserWVS.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Hookmsgina;Sample from CN Honker Pentest Toolset - file Hookmsgina.dll;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_sig_3389_xp3389;Sample from CN Honker Pentest Toolset - file xp3389.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_CookiesView;Sample from CN Honker Pentest Toolset - file CookiesView.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_T00ls_Lpk_Sethc_v4_LPK;Sample from CN Honker Pentest Toolset - file LPK.DAT;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_ScanHistory;Sample from CN Honker Pentest Toolset - file ScanHistory.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_InvasionErasor;Sample from CN Honker Pentest Toolset - file InvasionErasor.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_super_Injection1;Sample from CN Honker Pentest Toolset - file super Injection1.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,HKTL,FILE +CN_Honker_Pk_Pker;Sample from CN Honker Pentest Toolset - file Pker.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_GetPass_GetPass;Sample from CN Honker Pentest Toolset - file GetPass.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_F4ck_Team_f4ck_3;Sample from CN Honker Pentest Toolset - file f4ck.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_F4ck_Team_F4ck_3;Sample from CN Honker Pentest Toolset - file F4ck_3.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_ACCESS_brute;Sample from CN Honker Pentest Toolset - file ACCESS_brute.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_Fpipe_FPipe;Sample from CN Honker Pentest Toolset - file FPipe.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;50;Florian Roth;EXE,FILE +CN_Honker_Layer_Layer;Sample from CN Honker Pentest Toolset - file Layer.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_ms10048_x86;Sample from CN Honker Pentest Toolset - file ms10048-x86.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_HTran2_4;Sample from CN Honker Pentest Toolset - file HTran2.4.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker_SkinHRootkit_SkinH;Sample from CN Honker Pentest Toolset - file SkinH.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker__PostgreSQL_mysql_injectV1_1_Creak_Oracle_SQLServer_inject_Creaked;Sample from CN Honker Pentest Toolset;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker__wwwscan_wwwscan_wwwscan_gui;Sample from CN Honker Pentest Toolset - from files wwwscan.exe, wwwscan.exe, wwwscan_gui.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker__LPK_LPK_LPK;Sample from CN Honker Pentest Toolset - from files LPK.DAT, LPK.DAT, LPK.DAT;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker__builder_shift_SkinH;Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker__lcx_HTran2_4_htran20;Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +CN_Honker__D_injection_V2_32_D_injection_V2_32_D_injection_V2_32;Sample from CN Honker Pentest Toolset - from files D_injection_V2.32.exe, D_injection_V2.32.exe, D_injection_V2.32.exe;Disclosed CN Honker Pentest Toolset;2015-06-23 00:00:00;70;Florian Roth;EXE,FILE +bin_ndisk;Hacking Team Disclosure Sample - file ndisk.sys;https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/;2015-07-07 00:00:00;100;Florian Roth;EXE,FILE +Hackingteam_Elevator_DLL;Hacking Team Disclosure Sample - file elevator.dll;http://t.co/EG0qtVcKLh;2015-07-07 00:00:00;70;Florian Roth;EXE,FILE +HackingTeam_Elevator_EXE;Hacking Team Disclosure Sample - file elevator.exe;Hacking Team Disclosure elevator.c;2015-07-07 00:00:00;70;Florian Roth;EXE,FILE NTLM_Dump_Output;NTML Hash Dump output file - John/LC format;-;2015-10-01 00:00:00;75;Florian Roth;HKTL Gsecdump_password_dump_file;Detects a gsecdump output file;https://t.co/OLIj1yVJ4m;2018-03-06 00:00:00;65;Florian Roth;FILE -Slingshot_APT_Spork_Downloader;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;APT,FILE,EXE -Slingshot_APT_Minisling;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;APT,FILE,EXE -Slingshot_APT_Ring0_Loader;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;APT,FILE,EXE -Slingshot_APT_Malware_1;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Slingshot_APT_Malware_2;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Slingshot_APT_Malware_3;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Slingshot_APT_Malware_4;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -HiddenCobra_r4_wiper_1;Detects HiddenCobra Wiper;https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf;2017-12-12 00:00:00;70;NCCIC Partner;NK,FILE,EXE -HiddenCobra_r4_wiper_2;Detects HiddenCobra Wiper;https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf;2017-12-12 00:00:00;70;NCCIC Partner;NK,FILE,EXE +Slingshot_APT_Spork_Downloader;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;EXE,APT,FILE +Slingshot_APT_Minisling;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;EXE,APT,FILE +Slingshot_APT_Ring0_Loader;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;EXE,APT,FILE +Slingshot_APT_Malware_1;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Slingshot_APT_Malware_2;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Slingshot_APT_Malware_3;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Slingshot_APT_Malware_4;Detects malware from Slingshot APT;https://securelist.com/apt-slingshot/84312/;2018-03-09 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +HiddenCobra_r4_wiper_1;Detects HiddenCobra Wiper;https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf;2017-12-12 00:00:00;70;NCCIC Partner;EXE,NK,FILE +HiddenCobra_r4_wiper_2;Detects HiddenCobra Wiper;https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf;2017-12-12 00:00:00;70;NCCIC Partner;EXE,NK,FILE SVG_LoadURL;Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections);http://goo.gl/psjCCc;2015-05-24 00:00:00;50;Florian Roth; -NotPetya_Ransomware_Jun17;Detects new NotPetya Ransomware variant from June 2017;https://goo.gl/h6iaGj;2017-06-27 00:00:00;70;Florian Roth;EXE,RANSOM,CRIME,FILE,MAL +NotPetya_Ransomware_Jun17;Detects new NotPetya Ransomware variant from June 2017;https://goo.gl/h6iaGj;2017-06-27 00:00:00;70;Florian Roth;EXE,RANSOM,MAL,CRIME,FILE SUSP_certificate_payload;Detects payloads that pretend to be certificates;https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/;2018-08-02 00:00:00;50;Didier Stevens, Florian Roth;FILE -Powerkatz_DLL_Generic;Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible);PowerKatz Analysis;2016-02-05 00:00:00;80;Florian Roth;FILE,EXE -APT_PupyRAT_PY;Detects Pupy RAT;https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations;2017-02-17 00:00:00;70;Florian Roth;MAL,FILE,EXE +Powerkatz_DLL_Generic;Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible);PowerKatz Analysis;2016-02-05 00:00:00;80;Florian Roth;EXE,FILE +APT_PupyRAT_PY;Detects Pupy RAT;https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations;2017-02-17 00:00:00;70;Florian Roth;MAL,EXE,FILE APT_MagicHound_MalMacro;Detects malicious macro / powershell in Office document;https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations;2017-02-17 00:00:00;70;Florian Roth;OFFICE,FILE apt_ProjectSauron_pipe_backdoor;Rule to detect ProjectSauron pipe backdoors;https://securelist.com/blog/;1970-01-01 01:00:00;70;-;MAL,FILE apt_ProjectSauron_encrypted_LSA;Rule to detect ProjectSauron encrypted LSA samples;https://securelist.com/blog/;1970-01-01 01:00:00;70;-;EXTVAR,FILE @@ -2109,27 +2110,27 @@ apt_ProjectSauron_MyTrampoline;Rule to detect ProjectSauron MyTrampoline module; apt_ProjectSauron_encrypted_container;Rule to detect ProjectSauron samples encrypted container;https://securelist.com/blog/;1970-01-01 01:00:00;70;-;EXTVAR,FILE apt_ProjectSauron_encryption;Rule to detect ProjectSauron string encryption;https://securelist.com/blog/;1970-01-01 01:00:00;70;-; apt_ProjectSauron_generic_pipe_backdoor;Rule to detect ProjectSauron generic pipe backdoors;https://securelist.com/blog/;1970-01-01 01:00:00;70;-;MAL,FILE -Buckeye_Osinfo;Detects OSinfo tool used by the Buckeye APT group;http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong;2016-09-05 00:00:00;70;Florian Roth;APT,FILE,EXE -RemoteCmd;Detects a remote access tool used by APT groups - file RemoteCmd.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;APT,FILE,EXE -ChromePass;Detects a tool used by APT groups - file ChromePass.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;APT,FILE,EXE -UBoatRAT;Detects UBoat RAT Samples;https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/;2017-11-29 00:00:00;70;Florian Roth;MAL,FILE,EXE -UBoatRAT_Dropper;Detects UBoatRAT Dropper;https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/;2017-11-29 00:00:00;70;Florian Roth;MAL,FILE,EXE +Buckeye_Osinfo;Detects OSinfo tool used by the Buckeye APT group;http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong;2016-09-05 00:00:00;70;Florian Roth;EXE,APT,FILE +RemoteCmd;Detects a remote access tool used by APT groups - file RemoteCmd.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;EXE,APT,FILE +ChromePass;Detects a tool used by APT groups - file ChromePass.exe;http://goo.gl/igxLyF;2016-09-08 00:00:00;70;Florian Roth;EXE,APT,FILE +UBoatRAT;Detects UBoat RAT Samples;https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/;2017-11-29 00:00:00;70;Florian Roth;MAL,EXE,FILE +UBoatRAT_Dropper;Detects UBoatRAT Dropper;https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/;2017-11-29 00:00:00;70;Florian Roth;MAL,EXE,FILE MAL_Sednit_DelphiDownloader_Apr18_2;Detects malware from Sednit Delphi Downloader report;https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/;2018-04-24 00:00:00;70;Florian Roth; -MAL_Sednit_DelphiDownloader_Apr18_3;Detects malware from Sednit Delphi Downloader report;https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/;2018-04-24 00:00:00;70;Florian Roth;FILE,EXE -Win7Elevatev2;Detects Win7Elevate - Windows UAC bypass utility;http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html;2015-05-14 00:00:00;60;Florian Roth;FILE,EXE +MAL_Sednit_DelphiDownloader_Apr18_3;Detects malware from Sednit Delphi Downloader report;https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/;2018-04-24 00:00:00;70;Florian Roth;EXE,FILE +Win7Elevatev2;Detects Win7Elevate - Windows UAC bypass utility;http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html;2015-05-14 00:00:00;60;Florian Roth;EXE,FILE UACME_Akagi;Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor;https://github.com/hfiref0x/UACME;2015-05-14 00:00:00;60;Florian Roth;MAL -UACElevator;UACElevator bypassing UAC - file UACElevator.exe;https://github.com/MalwareTech/UACElevator;2015-05-14 00:00:00;70;Florian Roth;FILE,EXE -s4u;Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe;https://github.com/aurel26/s-4-u-for-windows;2015-06-05 00:00:00;50;Florian Roth;FILE,EXE -UACME_Akagi_2;Detects Windows User Account Control Bypass - from files Akagi32.exe, Akagi64.exe;https://github.com/hfiref0x/UACME;2017-02-03 00:00:00;80;Florian Roth;FILE,EXE -Molerats_Jul17_Sample_1;Detects Molerats sample - July 2017;https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html;2017-07-07 00:00:00;70;Florian Roth;FILE,EXE -Molerats_Jul17_Sample_2;Detects Molerats sample - July 2017;https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html;2017-07-07 00:00:00;70;Florian Roth;FILE,EXE -Molerats_Jul17_Sample_3;Detects Molerats sample - July 2017;https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html;2017-07-07 00:00:00;70;Florian Roth;FILE,EXE +UACElevator;UACElevator bypassing UAC - file UACElevator.exe;https://github.com/MalwareTech/UACElevator;2015-05-14 00:00:00;70;Florian Roth;EXE,FILE +s4u;Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe;https://github.com/aurel26/s-4-u-for-windows;2015-06-05 00:00:00;50;Florian Roth;EXE,FILE +UACME_Akagi_2;Detects Windows User Account Control Bypass - from files Akagi32.exe, Akagi64.exe;https://github.com/hfiref0x/UACME;2017-02-03 00:00:00;80;Florian Roth;EXE,FILE +Molerats_Jul17_Sample_1;Detects Molerats sample - July 2017;https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html;2017-07-07 00:00:00;70;Florian Roth;EXE,FILE +Molerats_Jul17_Sample_2;Detects Molerats sample - July 2017;https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html;2017-07-07 00:00:00;70;Florian Roth;EXE,FILE +Molerats_Jul17_Sample_3;Detects Molerats sample - July 2017;https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html;2017-07-07 00:00:00;70;Florian Roth;EXE,FILE Molerats_Jul17_Sample_4;Detects Molerats sample - July 2017;https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html;2017-07-07 00:00:00;70;Florian Roth; Molerats_Jul17_Sample_5;Detects Molerats sample - July 2017;https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html;2017-07-07 00:00:00;70;Florian Roth; -Molerats_Jul17_Sample_Dropper;Detects Molerats sample dropper SFX - July 2017;https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html;2017-07-07 00:00:00;70;Florian Roth;FILE,EXE -Bytes_used_in_AES_key_generation;Detects Backdoor.goodor;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC;MAL,FILE,EXE -Partial_Implant_ID;Detects implant from NCSC report;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC;FILE,EXE -Sleep_Timer_Choice;Detects malware from NCSC report;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC;FILE,EXE +Molerats_Jul17_Sample_Dropper;Detects Molerats sample dropper SFX - July 2017;https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html;2017-07-07 00:00:00;70;Florian Roth;EXE,FILE +Bytes_used_in_AES_key_generation;Detects Backdoor.goodor;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC;MAL,EXE,FILE +Partial_Implant_ID;Detects implant from NCSC report;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC;EXE,FILE +Sleep_Timer_Choice;Detects malware from NCSC report;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC;EXE,FILE User_Function_String;Detects user function string from NCSC report;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC; generic_shellcode_downloader_specific;Detects Doorshell from NCSC report;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC;EXTVAR,FILE Batch_Script_To_Run_PsExec;Detects malicious batch file from NCSC report;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC; @@ -2137,38 +2138,38 @@ Batch_Powershell_Invoke_Inveigh;Detects malicious batch file from NCSC report;ht lnk_detect;Detects malicious LNK file from NCSC report;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC;FILE RDP_Brute_Strings;Detects RDP brute forcer from NCSC report;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC; Z_WebShell;Detects Z Webshell from NCSC report;https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control;2018-04-06 00:00:00;70;NCSC;WEBSHELL -MAL_CrypRAT_Jan19_1;Detects CrypRAT;Internal Research;2019-01-07 00:00:00;90;Florian Roth;MAL,FILE,EXE -FVEY_ShadowBrokers_Jan17_Screen_Strings;Detects strings derived from the ShadowBroker's leak of Windows tools/exploits;https://bit.no.com:43110/theshadowbrokers.bit/post/message7/;2017-01-08 00:00:00;70;Florian Roth;HKTL,FILE,EXE -Turla_APT_srsvc;Detects Turla malware (based on sample used in the RUAG APT case);https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case;2016-06-09 00:00:00;70;Florian Roth;RUSSIA,APT,FILE,EXE -Turla_APT_Malware_Gen1;Detects Turla malware (based on sample used in the RUAG APT case);https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case;2016-06-09 00:00:00;70;Florian Roth;APT,EXE,FILE,RUSSIA,MAL -Turla_APT_Malware_Gen2;Detects Turla malware (based on sample used in the RUAG APT case);https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case;2016-06-09 00:00:00;70;Florian Roth;APT,EXE,FILE,RUSSIA,MAL -Turla_APT_Malware_Gen3;Detects Turla malware (based on sample used in the RUAG APT case);https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case;2016-06-09 00:00:00;70;Florian Roth;APT,EXE,FILE,RUSSIA,MAL +MAL_CrypRAT_Jan19_1;Detects CrypRAT;Internal Research;2019-01-07 00:00:00;90;Florian Roth;MAL,EXE,FILE +FVEY_ShadowBrokers_Jan17_Screen_Strings;Detects strings derived from the ShadowBroker's leak of Windows tools/exploits;https://bit.no.com:43110/theshadowbrokers.bit/post/message7/;2017-01-08 00:00:00;70;Florian Roth;EXE,HKTL,FILE +Turla_APT_srsvc;Detects Turla malware (based on sample used in the RUAG APT case);https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case;2016-06-09 00:00:00;70;Florian Roth;EXE,APT,RUSSIA,FILE +Turla_APT_Malware_Gen1;Detects Turla malware (based on sample used in the RUAG APT case);https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case;2016-06-09 00:00:00;70;Florian Roth;EXE,RUSSIA,MAL,APT,FILE +Turla_APT_Malware_Gen2;Detects Turla malware (based on sample used in the RUAG APT case);https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case;2016-06-09 00:00:00;70;Florian Roth;EXE,RUSSIA,MAL,APT,FILE +Turla_APT_Malware_Gen3;Detects Turla malware (based on sample used in the RUAG APT case);https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case;2016-06-09 00:00:00;70;Florian Roth;EXE,RUSSIA,MAL,APT,FILE Turla_Mal_Script_Jan18_1;Detects Turla malicious script;https://ghostbin.com/paste/jsph7;2018-01-19 00:00:00;70;Florian Roth;RUSSIA -Turla_KazuarRAT;Detects Turla Kazuar RAT described by DrunkBinary;https://twitter.com/DrunkBinary/status/982969891975319553;2018-04-08 00:00:00;70;Markus Neis / Florian Roth;RUSSIA,MAL,FILE,EXE -MAL_Turla_Agent_BTZ;Detects Turla Agent.BTZ;https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified;2018-04-12 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE -MAL_Turla_Sample_May18_1;Detects Turla samples;https://twitter.com/omri9741/status/991942007701598208;2018-05-03 00:00:00;70;Florian Roth;RUSSIA,FILE,EXE +Turla_KazuarRAT;Detects Turla Kazuar RAT described by DrunkBinary;https://twitter.com/DrunkBinary/status/982969891975319553;2018-04-08 00:00:00;70;Markus Neis / Florian Roth;MAL,EXE,RUSSIA,FILE +MAL_Turla_Agent_BTZ;Detects Turla Agent.BTZ;https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified;2018-04-12 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE +MAL_Turla_Sample_May18_1;Detects Turla samples;https://twitter.com/omri9741/status/991942007701598208;2018-05-03 00:00:00;70;Florian Roth;EXE,RUSSIA,FILE GoldenEye_Ransomware_XLS;GoldenEye XLS with Macro - file Schneider-Bewerbung.xls;https://goo.gl/jp2SkT;2016-12-06 00:00:00;70;Florian Roth;CRIME,FILE -GoldenEyeRansomware_Dropper_MalformedZoomit;Auto-generated rule - file b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690;https://goo.gl/jp2SkT;2016-12-06 00:00:00;70;Florian Roth;MAL,FILE,EXE -PassCV_Sabre_Malware_1;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,FILE,EXE -PassCV_Sabre_Malware_Signing_Cert;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;50;Florian Roth;MAL,FILE,EXE -PassCV_Sabre_Malware_2;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,FILE,EXE -PassCV_Sabre_Malware_Excalibur_1;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,FILE,EXE -PassCV_Sabre_Malware_3;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,FILE,EXE -PassCV_Sabre_Malware_4;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,FILE,EXE -PassCV_Sabre_Tool_NTScan;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,FILE,EXE -PassCV_Sabre_Malware_5;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,FILE,EXE +GoldenEyeRansomware_Dropper_MalformedZoomit;Auto-generated rule - file b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690;https://goo.gl/jp2SkT;2016-12-06 00:00:00;70;Florian Roth;MAL,EXE,FILE +PassCV_Sabre_Malware_1;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,EXE,FILE +PassCV_Sabre_Malware_Signing_Cert;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;50;Florian Roth;MAL,EXE,FILE +PassCV_Sabre_Malware_2;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,EXE,FILE +PassCV_Sabre_Malware_Excalibur_1;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,EXE,FILE +PassCV_Sabre_Malware_3;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,EXE,FILE +PassCV_Sabre_Malware_4;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,EXE,FILE +PassCV_Sabre_Tool_NTScan;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,EXE,FILE +PassCV_Sabre_Malware_5;PassCV Malware mentioned in Cylance Report;https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies;2016-10-20 00:00:00;70;Florian Roth;MAL,EXE,FILE WaterBug_wipbot_2013_core_PDF;Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF;http://t.co/rF35OaAXrl;2015-01-22 00:00:00;70;Symantec Security Response;MAL WaterBug_wipbot_2013_dll;Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component;http://t.co/rF35OaAXrl;2015-01-22 00:00:00;70;Symantec Security Response;MAL WaterBug_wipbot_2013_core;Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error;http://t.co/rF35OaAXrl;2015-01-22 00:00:00;70;Symantec Security Response;MAL WaterBug_turla_dropper;Symantec Waterbug Attack - Trojan Turla Dropper;http://t.co/rF35OaAXrl;2015-01-22 00:00:00;70;Symantec Security Response;MAL,RUSSIA WaterBug_fa_malware;Symantec Waterbug Attack - FA malware variant;http://t.co/rF35OaAXrl;2015-01-22 00:00:00;70;Symantec Security Response; WaterBug_sav;Symantec Waterbug Attack - SAV Malware;http://t.co/rF35OaAXrl;2015-01-22 00:00:00;70;Symantec Security Response;MAL -generic_carbon;Turla Carbon malware;https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/;2017-03-30 00:00:00;70;ESET Research;RUSSIA,FILE,EXE +generic_carbon;Turla Carbon malware;https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/;2017-03-30 00:00:00;70;ESET Research;EXE,RUSSIA,FILE carbon_metadata;Turla Carbon malware;https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/;2017-03-30 00:00:00;70;ESET Research;RUSSIA -Agent_BTZ_Proxy_DLL_1;Detects Agent-BTZ Proxy DLL - activeds.dll;http://www.intezer.com/new-variants-of-agent-btz-comrat-found/;2017-08-07 00:00:00;70;Florian Roth;HKTL,FILE,EXE -Agent_BTZ_Proxy_DLL_2;Detects Agent-BTZ Proxy DLL - activeds.dll;http://www.intezer.com/new-variants-of-agent-btz-comrat-found/;2017-08-07 00:00:00;70;Florian Roth;HKTL,FILE,EXE -Agent_BTZ_Aug17;Detects Agent.BTZ;http://www.intezer.com/new-variants-of-agent-btz-comrat-found/;2017-08-07 00:00:00;70;Florian Roth;FILE,EXE -APT_Turla_Agent_BTZ_Gen_1;Detects Turla Agent.BTZ;Internal Research;2018-06-16 00:00:00;80;Florian Roth;GEN,RUSSIA,FILE,EXE +Agent_BTZ_Proxy_DLL_1;Detects Agent-BTZ Proxy DLL - activeds.dll;http://www.intezer.com/new-variants-of-agent-btz-comrat-found/;2017-08-07 00:00:00;70;Florian Roth;EXE,HKTL,FILE +Agent_BTZ_Proxy_DLL_2;Detects Agent-BTZ Proxy DLL - activeds.dll;http://www.intezer.com/new-variants-of-agent-btz-comrat-found/;2017-08-07 00:00:00;70;Florian Roth;EXE,HKTL,FILE +Agent_BTZ_Aug17;Detects Agent.BTZ;http://www.intezer.com/new-variants-of-agent-btz-comrat-found/;2017-08-07 00:00:00;70;Florian Roth;EXE,FILE +APT_Turla_Agent_BTZ_Gen_1;Detects Turla Agent.BTZ;Internal Research;2018-06-16 00:00:00;80;Florian Roth;GEN,EXE,RUSSIA,FILE p0wnedPowerCat;p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs;https://github.com/Cn33liz/p0wnedShell;2017-01-14 00:00:00;70;Florian Roth;FILE Hacktool_Strings_p0wnedShell;p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs;https://github.com/Cn33liz/p0wnedShell;2017-01-14 00:00:00;70;Florian Roth; p0wnedPotato;p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs;https://github.com/Cn33liz/p0wnedShell;2017-01-14 00:00:00;70;Florian Roth; @@ -2178,137 +2179,137 @@ p0wnedListenerConsole;p0wnedShell Runspace Post Exploitation Toolkit - file p0wn p0wnedBinaries;p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs;https://github.com/Cn33liz/p0wnedShell;2017-01-14 00:00:00;70;Florian Roth; p0wnedAmsiBypass;p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs;https://github.com/Cn33liz/p0wnedShell;2017-01-14 00:00:00;70;Florian Roth; p0wnedShell_outputs;p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs;https://github.com/Cn33liz/p0wnedShell;2017-01-14 00:00:00;70;Florian Roth; -APT17_Malware_Oct17_1;Detects APT17 malware;https://goo.gl/puVc9q;2017-10-03 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -APT17_Malware_Oct17_2;Detects APT17 malware;https://goo.gl/puVc9q;2017-10-03 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -APT17_Unsigned_Symantec_Binary_EFA;Detects APT17 malware;https://goo.gl/puVc9q;2017-10-03 00:00:00;70;Florian Roth;APT,FILE,EXE -APT17_Malware_Oct17_Gen;Detects APT17 malware;https://goo.gl/puVc9q;2017-10-03 00:00:00;70;Florian Roth;MAL,APT,FILE,EXE -Sphinx_Moth_cudacrt;sphinx moth threat group file cudacrt.dll;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA;FILE,EXE -Sphinx_Moth_h2t;sphinx moth threat group file h2t.dat;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA (modified by Florian Roth);FILE,EXE -Sphinx_Moth_iastor32;sphinx moth threat group file iastor32.exe;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA;FILE,EXE -Sphinx_Moth_kerberos32;sphinx moth threat group file kerberos32.dll;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA (modified by Florian Roth);FILE,EXE -Sphinx_Moth_kerberos64;sphinx moth threat group file kerberos64.dll;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA (modified by Florian Roth);FILE,EXE -Sphinx_Moth_nvcplex;sphinx moth threat group file nvcplex.dat;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA;FILE,EXE +APT17_Malware_Oct17_1;Detects APT17 malware;https://goo.gl/puVc9q;2017-10-03 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +APT17_Malware_Oct17_2;Detects APT17 malware;https://goo.gl/puVc9q;2017-10-03 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +APT17_Unsigned_Symantec_Binary_EFA;Detects APT17 malware;https://goo.gl/puVc9q;2017-10-03 00:00:00;70;Florian Roth;EXE,APT,FILE +APT17_Malware_Oct17_Gen;Detects APT17 malware;https://goo.gl/puVc9q;2017-10-03 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE +Sphinx_Moth_cudacrt;sphinx moth threat group file cudacrt.dll;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA;EXE,FILE +Sphinx_Moth_h2t;sphinx moth threat group file h2t.dat;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA (modified by Florian Roth);EXE,FILE +Sphinx_Moth_iastor32;sphinx moth threat group file iastor32.exe;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA;EXE,FILE +Sphinx_Moth_kerberos32;sphinx moth threat group file kerberos32.dll;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA (modified by Florian Roth);EXE,FILE +Sphinx_Moth_kerberos64;sphinx moth threat group file kerberos64.dll;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA (modified by Florian Roth);EXE,FILE +Sphinx_Moth_nvcplex;sphinx moth threat group file nvcplex.dat;www.kudelskisecurity.com;2015-08-06 00:00:00;70;Kudelski Security - Nagravision SA;EXE,FILE DeepPanda_sl_txt_packed;Hack Deep Panda - ScanLine sl-txt-packed;-;2015-02-08 00:00:00;70;Florian Roth;CHINA DeepPanda_lot1;Hack Deep Panda - lot1.tmp-pwdump;-;2015-02-08 00:00:00;70;Florian Roth;CHINA DeepPanda_htran_exe;Hack Deep Panda - htran-exe;-;2015-02-08 00:00:00;70;Florian Roth;CHINA -DeepPanda_Trojan_Kakfum;Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll;-;2015-02-08 00:00:00;70;Florian Roth;CHINA,MAL -Keylogger_CN_APT;Keylogger - generic rule for a Chinese variant;-;2016-03-07 00:00:00;75;Florian Roth;HKTL,CHINA,FILE,EXE -whosthere_alt;Auto-generated rule - file whosthere-alt.exe;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;FILE,EXE -iam_alt_iam_alt;Auto-generated rule - file iam-alt.exe;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;FILE,EXE -genhash_genhash;Auto-generated rule - file genhash.exe;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;FILE,EXE -iam_iamdll;Auto-generated rule - file iamdll.dll;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;FILE,EXE -iam_iam;Auto-generated rule - file iam.exe;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;FILE,EXE -whosthere_alt_pth;Auto-generated rule - file pth.dll;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;FILE,EXE -whosthere;Auto-generated rule - file whosthere.exe;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;FILE,EXE +DeepPanda_Trojan_Kakfum;Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll;-;2015-02-08 00:00:00;70;Florian Roth;MAL,CHINA +Keylogger_CN_APT;Keylogger - generic rule for a Chinese variant;-;2016-03-07 00:00:00;75;Florian Roth;EXE,CHINA,HKTL,FILE +whosthere_alt;Auto-generated rule - file whosthere-alt.exe;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;EXE,FILE +iam_alt_iam_alt;Auto-generated rule - file iam-alt.exe;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;EXE,FILE +genhash_genhash;Auto-generated rule - file genhash.exe;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;EXE,FILE +iam_iamdll;Auto-generated rule - file iamdll.dll;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;EXE,FILE +iam_iam;Auto-generated rule - file iam.exe;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;EXE,FILE +whosthere_alt_pth;Auto-generated rule - file pth.dll;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;EXE,FILE +whosthere;Auto-generated rule - file whosthere.exe;http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit;2015-07-10 00:00:00;80;Florian Roth;EXE,FILE SUSP_CMD_Var_Expansion;Detects Office droppers that include a variable expansion string;https://twitter.com/asfakian/status/1044859525675843585;2018-09-26 00:00:00;60;Florian Roth;OFFICE,FILE -APT_Lazarus_Dropper_Jun18_1;Detects Lazarus Group Dropper;https://twitter.com/DrunkBinary/status/1002587521073721346;2018-06-01 00:00:00;70;Florian Roth;NK,MAL,FILE,EXE -APT_Lazarus_RAT_Jun18_1;Detects Lazarus Group RAT;https://twitter.com/DrunkBinary/status/1002587521073721346;2018-06-01 00:00:00;70;Florian Roth;NK,MAL,FILE,EXE -APT_Lazarus_RAT_Jun18_2;Detects Lazarus Group RAT;https://twitter.com/DrunkBinary/status/1002587521073721346;2018-06-01 00:00:00;70;Florian Roth;NK,MAL,FILE,EXE -CVE_2014_4076_Exploitcode;Detects an exploit code for CVE-2014-4076;https://github.com/Neo23x0/yarGen;2018-04-04 00:00:00;70;Florian Roth;FILE,EXE,EXPLOIT -HDRoot_Sample_Jul17_1;Detects HDRoot samples;Winnti HDRoot VT;2017-07-07 00:00:00;70;Florian Roth;FILE,EXE -HDRoot_Sample_Jul17_2;Detects HDRoot samples;Winnti HDRoot VT;2017-07-07 00:00:00;70;Florian Roth;FILE,EXE -Unspecified_Malware_Jul17_1A;Detects samples of an unspecified malware - July 2017;Winnti HDRoot VT;2017-07-07 00:00:00;70;Florian Roth;MAL,FILE,EXE -IMPLANT_1_v1;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_1_v2;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_1_v3;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_1_v4;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_1_v5;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_1_v7;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v1;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v2;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v3;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v4;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v5;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v6;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v7;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v8;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v9;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v10;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v11;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v12;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v13;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v14;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v15;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v16;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v17;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v18;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v19;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_2_v20;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_3_v1;X-Agent/CHOPSTICK Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,APT -IMPLANT_3_v2;X-Agent/CHOPSTICK Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_3_v3;X-Agent/CHOPSTICK Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_4_v1;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_4_v2;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_4_v3_AlternativeRule;BlackEnergy / Voodoo Bear Implant by APT28;US CERT Grizzly Steppe Report;2017-02-12 00:00:00;70;Florian Roth;RUSSIA,APT,FILE,EXE -IMPLANT_4_v4;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_4_v5;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_4_v7;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_4_v8;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,APT -IMPLANT_4_v9;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,APT -IMPLANT_4_v10;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_4_v11;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_4_v13;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_5_v1;XTunnel Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,APT -IMPLANT_5_v2;XTunnel Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,APT -IMPLANT_5_v3;XTunnel Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,APT -IMPLANT_5_v4;XTunnel Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,APT -IMPLANT_6_v1;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_6_v2;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_6_v3;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_6_v4;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_6_v5;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_6_v6;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_7_v1;Implant 7 by APT29;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_8_v1;HAMMERTOSS / HammerDuke Implant by APT29;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_9_v1;Onion Duke Implant by APT29;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -IMPLANT_10_v2;CozyDuke / CozyCar / CozyBear Implant by APT29;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,FILE,APT -Unidentified_Malware_Two;Unidentified Implant by APT29;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;RUSSIA,MAL,APT -SUSP_ELF_LNX_UPX_Compressed_File;Detects a suspicious ELF binary with UPX compression;Internal Research;2018-12-12 00:00:00;40;Florian Roth;FILE,LINUX -Tools_cmd;Chinese Hacktool Set - file cmd.jSp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -trigger_drop;Chinese Hacktool Set - file trigger_drop.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -InjectionParameters;Chinese Hacktool Set - file InjectionParameters.vb;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -users_list;Chinese Hacktool Set - file users_list.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -trigger_modify;Chinese Hacktool Set - file trigger_modify.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Customize;Chinese Hacktool Set - file Customize.aspx;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -oracle_data;Chinese Hacktool Set - file oracle_data.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -reDuhServers_reDuh;Chinese Hacktool Set - file reDuh.jsp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -item_old;Chinese Hacktool Set - file item-old.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Tools_2014;Chinese Hacktool Set - file 2014.jsp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -reDuhServers_reDuh_2;Chinese Hacktool Set - file reDuh.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Customize_2;Chinese Hacktool Set - file Customize.jsp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -ChinaChopper_one;Chinese Hacktool Set - file one.asp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -CN_Tools_old;Chinese Hacktool Set - file old.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -item_301;Chinese Hacktool Set - file item-301.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -CN_Tools_item;Chinese Hacktool Set - file item.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -f3_diy;Chinese Hacktool Set - file diy.asp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,FILE,CHINA,WEBSHELL -ChinaChopper_temp;Chinese Hacktool Set - file temp.asp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Tools_2015;Chinese Hacktool Set - file 2015.jsp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -ChinaChopper_temp_2;Chinese Hacktool Set - file temp.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -templatr;Chinese Hacktool Set - file templatr.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -reDuhServers_reDuh_3;Chinese Hacktool Set - file reDuh.aspx;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -ChinaChopper_temp_3;Chinese Hacktool Set - file temp.aspx;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;HKTL,FILE,CHINA,WEBSHELL -Shell_Asp;Chinese Hacktool Set Webshells - file Asp.html;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_aspxtag;Chinese Hacktool Set - Webshells - file aspxtag.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_php;Chinese Hacktool Set - Webshells - file php.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_aspx1;Chinese Hacktool Set - Webshells - file aspx1.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_shell;Chinese Hacktool Set - Webshells - file shell.c;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_asp;Chinese Hacktool Set - Webshells - file asp.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,FILE,CHINA,WEBSHELL -Txt_asp1;Chinese Hacktool Set - Webshells - file asp1.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_php_2;Chinese Hacktool Set - Webshells - file php.html;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_ftp;Chinese Hacktool Set - Webshells - file ftp.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_lcx;Chinese Hacktool Set - Webshells - file lcx.c;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_jspcmd;Chinese Hacktool Set - Webshells - file jspcmd.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_jsp;Chinese Hacktool Set - Webshells - file jsp.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_aspxlcx;Chinese Hacktool Set - Webshells - file aspxlcx.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,FILE,CHINA,WEBSHELL -Txt_xiao;Chinese Hacktool Set - Webshells - file xiao.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_aspx;Chinese Hacktool Set - Webshells - file aspx.jpg;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_Sql;Chinese Hacktool Set - Webshells - file Sql.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Txt_hello;Chinese Hacktool Set - Webshells - file hello.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;HKTL,CHINA,WEBSHELL -Suckfly_Nidiran_Gen_1;Detects Suckfly Nidiran Trojan;https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates;2018-01-28 00:00:00;70;Florian Roth;GEN,MAL,FILE,EXE -Suckfly_Nidiran_Gen_2;Detects Suckfly Nidiran Trojan;https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates;2018-01-28 00:00:00;70;Florian Roth;GEN,MAL,FILE,EXE -Suckfly_Nidiran_Gen_3;Detects Suckfly Nidiran Trojan;https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates;2018-01-28 00:00:00;70;Florian Roth;GEN,MAL,FILE,EXE +APT_Lazarus_Dropper_Jun18_1;Detects Lazarus Group Dropper;https://twitter.com/DrunkBinary/status/1002587521073721346;2018-06-01 00:00:00;70;Florian Roth;MAL,EXE,NK,FILE +APT_Lazarus_RAT_Jun18_1;Detects Lazarus Group RAT;https://twitter.com/DrunkBinary/status/1002587521073721346;2018-06-01 00:00:00;70;Florian Roth;MAL,EXE,NK,FILE +APT_Lazarus_RAT_Jun18_2;Detects Lazarus Group RAT;https://twitter.com/DrunkBinary/status/1002587521073721346;2018-06-01 00:00:00;70;Florian Roth;MAL,EXE,NK,FILE +CVE_2014_4076_Exploitcode;Detects an exploit code for CVE-2014-4076;https://github.com/Neo23x0/yarGen;2018-04-04 00:00:00;70;Florian Roth;EXE,EXPLOIT,FILE +HDRoot_Sample_Jul17_1;Detects HDRoot samples;Winnti HDRoot VT;2017-07-07 00:00:00;70;Florian Roth;EXE,FILE +HDRoot_Sample_Jul17_2;Detects HDRoot samples;Winnti HDRoot VT;2017-07-07 00:00:00;70;Florian Roth;EXE,FILE +Unspecified_Malware_Jul17_1A;Detects samples of an unspecified malware - July 2017;Winnti HDRoot VT;2017-07-07 00:00:00;70;Florian Roth;MAL,EXE,FILE +IMPLANT_1_v1;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_1_v2;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_1_v3;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_1_v4;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_1_v5;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_1_v7;Downrage Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v1;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v2;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v3;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v4;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v5;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v6;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v7;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v8;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v9;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v10;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v11;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v12;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v13;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v14;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v15;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v16;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v17;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v18;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v19;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_2_v20;CORESHELL/SOURFACE Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_3_v1;X-Agent/CHOPSTICK Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA +IMPLANT_3_v2;X-Agent/CHOPSTICK Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_3_v3;X-Agent/CHOPSTICK Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_4_v1;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_4_v2;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_4_v3_AlternativeRule;BlackEnergy / Voodoo Bear Implant by APT28;US CERT Grizzly Steppe Report;2017-02-12 00:00:00;70;Florian Roth;EXE,APT,RUSSIA,FILE +IMPLANT_4_v4;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_4_v5;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_4_v7;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_4_v8;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA +IMPLANT_4_v9;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA +IMPLANT_4_v10;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_4_v11;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_4_v13;BlackEnergy / Voodoo Bear Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_5_v1;XTunnel Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA +IMPLANT_5_v2;XTunnel Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA +IMPLANT_5_v3;XTunnel Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA +IMPLANT_5_v4;XTunnel Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA +IMPLANT_6_v1;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_6_v2;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_6_v3;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_6_v4;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_6_v5;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_6_v6;Sednit / EVILTOSS Implant by APT28;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_7_v1;Implant 7 by APT29;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_8_v1;HAMMERTOSS / HammerDuke Implant by APT29;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_9_v1;Onion Duke Implant by APT29;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +IMPLANT_10_v2;CozyDuke / CozyCar / CozyBear Implant by APT29;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;APT,RUSSIA,FILE +Unidentified_Malware_Two;Unidentified Implant by APT29;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE;2017-02-10 00:00:00;85;US CERT;MAL,APT,RUSSIA +SUSP_ELF_LNX_UPX_Compressed_File;Detects a suspicious ELF binary with UPX compression;Internal Research;2018-12-12 00:00:00;40;Florian Roth;LINUX,FILE +Tools_cmd;Chinese Hacktool Set - file cmd.jSp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +trigger_drop;Chinese Hacktool Set - file trigger_drop.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +InjectionParameters;Chinese Hacktool Set - file InjectionParameters.vb;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +users_list;Chinese Hacktool Set - file users_list.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +trigger_modify;Chinese Hacktool Set - file trigger_modify.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Customize;Chinese Hacktool Set - file Customize.aspx;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +oracle_data;Chinese Hacktool Set - file oracle_data.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +reDuhServers_reDuh;Chinese Hacktool Set - file reDuh.jsp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +item_old;Chinese Hacktool Set - file item-old.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Tools_2014;Chinese Hacktool Set - file 2014.jsp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +reDuhServers_reDuh_2;Chinese Hacktool Set - file reDuh.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Customize_2;Chinese Hacktool Set - file Customize.jsp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +ChinaChopper_one;Chinese Hacktool Set - file one.asp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +CN_Tools_old;Chinese Hacktool Set - file old.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +item_301;Chinese Hacktool Set - file item-301.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +CN_Tools_item;Chinese Hacktool Set - file item.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +f3_diy;Chinese Hacktool Set - file diy.asp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL,FILE +ChinaChopper_temp;Chinese Hacktool Set - file temp.asp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Tools_2015;Chinese Hacktool Set - file 2015.jsp;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +ChinaChopper_temp_2;Chinese Hacktool Set - file temp.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +templatr;Chinese Hacktool Set - file templatr.php;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +reDuhServers_reDuh_3;Chinese Hacktool Set - file reDuh.aspx;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +ChinaChopper_temp_3;Chinese Hacktool Set - file temp.aspx;http://tools.zjqhr.com/;2015-06-13 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL,FILE +Shell_Asp;Chinese Hacktool Set Webshells - file Asp.html;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_aspxtag;Chinese Hacktool Set - Webshells - file aspxtag.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_php;Chinese Hacktool Set - Webshells - file php.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_aspx1;Chinese Hacktool Set - Webshells - file aspx1.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_shell;Chinese Hacktool Set - Webshells - file shell.c;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_asp;Chinese Hacktool Set - Webshells - file asp.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL,FILE +Txt_asp1;Chinese Hacktool Set - Webshells - file asp1.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_php_2;Chinese Hacktool Set - Webshells - file php.html;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_ftp;Chinese Hacktool Set - Webshells - file ftp.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_lcx;Chinese Hacktool Set - Webshells - file lcx.c;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_jspcmd;Chinese Hacktool Set - Webshells - file jspcmd.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_jsp;Chinese Hacktool Set - Webshells - file jsp.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_aspxlcx;Chinese Hacktool Set - Webshells - file aspxlcx.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL,FILE +Txt_xiao;Chinese Hacktool Set - Webshells - file xiao.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_aspx;Chinese Hacktool Set - Webshells - file aspx.jpg;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_Sql;Chinese Hacktool Set - Webshells - file Sql.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Txt_hello;Chinese Hacktool Set - Webshells - file hello.txt;http://tools.zjqhr.com/;2015-06-14 00:00:00;70;Florian Roth;WEBSHELL,CHINA,HKTL +Suckfly_Nidiran_Gen_1;Detects Suckfly Nidiran Trojan;https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates;2018-01-28 00:00:00;70;Florian Roth;MAL,EXE,GEN,FILE +Suckfly_Nidiran_Gen_2;Detects Suckfly Nidiran Trojan;https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates;2018-01-28 00:00:00;70;Florian Roth;MAL,EXE,GEN,FILE +Suckfly_Nidiran_Gen_3;Detects Suckfly Nidiran Trojan;https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates;2018-01-28 00:00:00;70;Florian Roth;MAL,EXE,GEN,FILE SUSP_Bad_PDF;Detects PDF that embeds code to steal NTLM hashes;Internal Research;2018-05-03 00:00:00;70;Florian Roth, Markus Neis;FILE -TeleDoor_Backdoor;Detects the TeleDoor Backdoor as used in Petya Attack in June 2017;https://goo.gl/CpfJQQ;2017-07-05 00:00:00;70;Florian Roth;RANSOM,MAL,FILE,EXE +TeleDoor_Backdoor;Detects the TeleDoor Backdoor as used in Petya Attack in June 2017;https://goo.gl/CpfJQQ;2017-07-05 00:00:00;70;Florian Roth;MAL,EXE,RANSOM,FILE remsec_executable_blob_32;Detects malware from Symantec's Strider APT report;http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets;2016-08-08 00:00:00;80;-;APT remsec_executable_blob_64;Detects malware from Symantec's Strider APT report;http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets;2016-08-08 00:00:00;80;-;APT remsec_executable_blob_parser;Detects malware from Symantec's Strider APT report;http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets;2016-08-08 00:00:00;80;-;APT @@ -2340,12 +2341,12 @@ PLUGX_RedLeaves;Detects specific RedLeaves and PlugX binaries;https://www.us-cer Malware_JS_powershell_obfuscated;Unspecified malware - file rechnung_3.js;Internal Research;2017-03-24 00:00:00;70;Florian Roth; EQGRP_noclient_3_0_5;Detects tool from EQGRP toolset - file noclient-3.0.5.3;Research;2016-08-15 00:00:00;75;Florian Roth;FILE EQGRP_installdate;Detects tool from EQGRP toolset - file installdate.pl;Research;2016-08-15 00:00:00;75;Florian Roth; -EQGRP_teflondoor;Detects tool from EQGRP toolset - file teflondoor.exe;Research;2016-08-15 00:00:00;75;Florian Roth;FILE,EXE +EQGRP_teflondoor;Detects tool from EQGRP toolset - file teflondoor.exe;Research;2016-08-15 00:00:00;75;Florian Roth;EXE,FILE EQGRP_durablenapkin_solaris_2_0_1;Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1;Research;2016-08-15 00:00:00;75;Florian Roth;FILE -EQGRP_teflonhandle;Detects tool from EQGRP toolset - file teflonhandle.exe;Research;2016-08-15 00:00:00;75;Florian Roth;FILE,EXE -EQGRP_false;Detects tool from EQGRP toolset - file false.exe;Research;2016-08-15 00:00:00;75;Florian Roth;FILE,EXE +EQGRP_teflonhandle;Detects tool from EQGRP toolset - file teflonhandle.exe;Research;2016-08-15 00:00:00;75;Florian Roth;EXE,FILE +EQGRP_false;Detects tool from EQGRP toolset - file false.exe;Research;2016-08-15 00:00:00;75;Florian Roth;EXE,FILE EQGRP_dn_1_0_2_1;Detects tool from EQGRP toolset - file dn.1.0.2.1.linux;Research;2016-08-15 00:00:00;75;Florian Roth;FILE -EQGRP_morel;Detects tool from EQGRP toolset - file morel.exe;Research;2016-08-15 00:00:00;75;Florian Roth;FILE,EXE +EQGRP_morel;Detects tool from EQGRP toolset - file morel.exe;Research;2016-08-15 00:00:00;75;Florian Roth;EXE,FILE EQGRP_bc_parser;Detects tool from EQGRP toolset - file bc-parser;Research;2016-08-15 00:00:00;75;Florian Roth;FILE EQGRP_1212;Detects tool from EQGRP toolset - file 1212.pl;Research;2016-08-15 00:00:00;75;Florian Roth; EQGRP_1212_dehex;Detects tool from EQGRP toolset - from files 1212.pl, dehex.pl;Research;2016-08-15 00:00:00;75;Florian Roth;FILE @@ -2403,75 +2404,75 @@ EQGRP_callbacks;EQGRP Toolset Firewall - Callback addresses;Research;2016-08-16 EQGRP_Extrabacon_Output;EQGRP Toolset Firewall - Extrabacon exploit output;Research;2016-08-16 00:00:00;70;Florian Roth; EQGRP_Unique_Strings;EQGRP Toolset Firewall - Unique strings;Research;2016-08-16 00:00:00;70;Florian Roth; EQGRP_RC5_RC6_Opcode;EQGRP Toolset Firewall - RC5 / RC6 opcode;https://securelist.com/blog/incidents/75812/the-equation-giveaway/;2016-08-17 00:00:00;70;Florian Roth; -EquationGroup_modifyAudit_Implant;EquationGroup Malware - file modifyAudit_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_modifyAudit_Lp;EquationGroup Malware - file modifyAudit_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_ProcessHide_Lp;EquationGroup Malware - file ProcessHide_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_pwdump_Implant;EquationGroup Malware - file pwdump_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_EquationDrug_Gen_5;EquationGroup Malware - file PC_Level3_http_dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;GEN,MAL,FILE,EXE -EquationGroup_PC_Level3_http_flav_dll;EquationGroup Malware - file PC_Level3_http_flav_dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_LSADUMP_Lp;EquationGroup Malware - file LSADUMP_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;HKTL,MAL,FILE,EXE -EquationGroup_EquationDrug_mstcp32;EquationGroup Malware - file mstcp32.sys;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_nethide_Lp;EquationGroup Malware - file nethide_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_PC_Level4_flav_dll_x64;EquationGroup Malware - file PC_Level4_flav_dll_x64;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_PC_Level4_flav_exe;EquationGroup Malware - file PC_Level4_flav_exe;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_processinfo_Implant;EquationGroup Malware - file processinfo_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_EquationDrug_Gen_2;EquationGroup Malware - file PortMap_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Auto Generated;GEN,MAL,FILE,EXE -EquationGroup_EquationDrug_ntevt;EquationGroup Malware - file ntevt.sys;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_nethide_Implant;EquationGroup Malware - file nethide_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_EquationDrug_Gen_4;EquationGroup Malware - file PC_Level4_flav_dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Auto Generated;GEN,MAL,FILE,EXE -EquationGroup_EquationDrug_tdi6;EquationGroup Malware - file tdi6.sys;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_modifyAuthentication_Implant;EquationGroup Malware - file modifyAuthentication_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_ntfltmgr;EquationGroup Malware - file ntfltmgr.sys;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_DXGHLP16;EquationGroup Malware - file DXGHLP16.SYS;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_EquationDrug_msgkd;EquationGroup Malware - file msgkd.ex_;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_RunAsChild_Lp;EquationGroup Malware - file RunAsChild_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_EquationDrug_Gen_6;EquationGroup Malware - file PC_Level3_dll_x64;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;GEN,MAL,FILE,EXE -EquationGroup_PC_Level3_http_flav_dll_x64;EquationGroup Malware - file PC_Level3_http_flav_dll_x64;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_EquationDrug_Gen_3;EquationGroup Malware - file mssld.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Auto Generated;GEN,MAL,FILE,EXE -EquationGroup_GetAdmin_Lp;EquationGroup Malware - file GetAdmin_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_ModifyGroup_Lp;EquationGroup Malware - file ModifyGroup_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_pwdump_Lp;EquationGroup Malware - file pwdump_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_EventLogEdit_Implant;EquationGroup Malware - file EventLogEdit_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_PortMap_Lp;EquationGroup Malware - file PortMap_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_ProcessOptions_Lp;EquationGroup Malware - file ProcessOptions_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_PassFreely_Lp;EquationGroup Malware - file PassFreely_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,FILE,EXE -EquationGroup_EquationDrug_Gen_1;EquationGroup Malware;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;GEN,MAL,FILE,EXE +EquationGroup_modifyAudit_Implant;EquationGroup Malware - file modifyAudit_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_modifyAudit_Lp;EquationGroup Malware - file modifyAudit_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_ProcessHide_Lp;EquationGroup Malware - file ProcessHide_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_pwdump_Implant;EquationGroup Malware - file pwdump_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_EquationDrug_Gen_5;EquationGroup Malware - file PC_Level3_http_dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,GEN,FILE +EquationGroup_PC_Level3_http_flav_dll;EquationGroup Malware - file PC_Level3_http_flav_dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_LSADUMP_Lp;EquationGroup Malware - file LSADUMP_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,HKTL,FILE +EquationGroup_EquationDrug_mstcp32;EquationGroup Malware - file mstcp32.sys;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_nethide_Lp;EquationGroup Malware - file nethide_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_PC_Level4_flav_dll_x64;EquationGroup Malware - file PC_Level4_flav_dll_x64;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_PC_Level4_flav_exe;EquationGroup Malware - file PC_Level4_flav_exe;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_processinfo_Implant;EquationGroup Malware - file processinfo_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_EquationDrug_Gen_2;EquationGroup Malware - file PortMap_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Auto Generated;MAL,EXE,GEN,FILE +EquationGroup_EquationDrug_ntevt;EquationGroup Malware - file ntevt.sys;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_nethide_Implant;EquationGroup Malware - file nethide_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_EquationDrug_Gen_4;EquationGroup Malware - file PC_Level4_flav_dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Auto Generated;MAL,EXE,GEN,FILE +EquationGroup_EquationDrug_tdi6;EquationGroup Malware - file tdi6.sys;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_modifyAuthentication_Implant;EquationGroup Malware - file modifyAuthentication_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_ntfltmgr;EquationGroup Malware - file ntfltmgr.sys;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_DXGHLP16;EquationGroup Malware - file DXGHLP16.SYS;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_EquationDrug_msgkd;EquationGroup Malware - file msgkd.ex_;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_RunAsChild_Lp;EquationGroup Malware - file RunAsChild_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_EquationDrug_Gen_6;EquationGroup Malware - file PC_Level3_dll_x64;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,GEN,FILE +EquationGroup_PC_Level3_http_flav_dll_x64;EquationGroup Malware - file PC_Level3_http_flav_dll_x64;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_EquationDrug_Gen_3;EquationGroup Malware - file mssld.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Auto Generated;MAL,EXE,GEN,FILE +EquationGroup_GetAdmin_Lp;EquationGroup Malware - file GetAdmin_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_ModifyGroup_Lp;EquationGroup Malware - file ModifyGroup_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_pwdump_Lp;EquationGroup Malware - file pwdump_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_EventLogEdit_Implant;EquationGroup Malware - file EventLogEdit_Implant.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_PortMap_Lp;EquationGroup Malware - file PortMap_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_ProcessOptions_Lp;EquationGroup Malware - file ProcessOptions_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_PassFreely_Lp;EquationGroup Malware - file PassFreely_Lp.dll;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,FILE +EquationGroup_EquationDrug_Gen_1;EquationGroup Malware;https://goo.gl/tcSoiJ;2017-01-13 00:00:00;70;Florian Roth;MAL,EXE,GEN,FILE EquationDrug_MS_Identifier;Microsoft Identifier used in EquationDrug Platform;-;2015-03-11 00:00:00;70;Florian Roth @4nc4p; -PoseidonGroup_Malware;Detects Poseidon Group Malware;https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/;2016-02-09 00:00:00;85;Florian Roth;MAL,FILE,EXE +PoseidonGroup_Malware;Detects Poseidon Group Malware;https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/;2016-02-09 00:00:00;85;Florian Roth;MAL,EXE,FILE PoseidonGroup_MalDoc_1;Detects Poseidon Group - Malicious Word Document;https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/;2016-02-09 00:00:00;80;Florian Roth;OFFICE,FILE PoseidonGroup_MalDoc_2;Detects Poseidon Group - Malicious Word Document;https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/;2016-02-09 00:00:00;70;Florian Roth;OFFICE,FILE KINS_dropper;Match protocol, process injects and windows exploit present in KINS dropper;http://goo.gl/arPhm3;1970-01-01 01:00:00;70;AlienVault Labs aortega@alienvault.com; KINS_DLL_zeus;Match default bot in KINS leaked dropper, Zeus;http://goo.gl/arPhm3;1970-01-01 01:00:00;70;AlienVault Labs aortega@alienvault.com; -WindowsShell_s3;Detects simple Windows shell - file s3.exe;https://github.com/odzhan/shells/;2016-03-26 00:00:00;70;Florian Roth;FILE,EXE -WindosShell_s1;Detects simple Windows shell - file s1.exe;https://github.com/odzhan/shells/;2016-03-26 00:00:00;70;Florian Roth;FILE,EXE -WindowsShell_s4;Detects simple Windows shell - file s4.exe;https://github.com/odzhan/shells/;2016-03-26 00:00:00;70;Florian Roth;FILE,EXE -WindowsShell_Gen;Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe;https://github.com/odzhan/shells/;2016-03-26 00:00:00;70;Florian Roth;FILE,EXE -WindowsShell_Gen2;Detects simple Windows shell - from files s3.exe, s4.exe;https://github.com/odzhan/shells/;2016-03-26 00:00:00;70;Florian Roth;FILE,EXE -APT12_Malware_Aug17;Detects APT 12 Malware;http://blog.macnica.net/blog/2017/08/post-fb81.html;2017-08-30 00:00:00;70;Florian Roth;APT,MAL,FILE,EXE +WindowsShell_s3;Detects simple Windows shell - file s3.exe;https://github.com/odzhan/shells/;2016-03-26 00:00:00;70;Florian Roth;EXE,FILE +WindosShell_s1;Detects simple Windows shell - file s1.exe;https://github.com/odzhan/shells/;2016-03-26 00:00:00;70;Florian Roth;EXE,FILE +WindowsShell_s4;Detects simple Windows shell - file s4.exe;https://github.com/odzhan/shells/;2016-03-26 00:00:00;70;Florian Roth;EXE,FILE +WindowsShell_Gen;Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe;https://github.com/odzhan/shells/;2016-03-26 00:00:00;70;Florian Roth;EXE,FILE +WindowsShell_Gen2;Detects simple Windows shell - from files s3.exe, s4.exe;https://github.com/odzhan/shells/;2016-03-26 00:00:00;70;Florian Roth;EXE,FILE +APT12_Malware_Aug17;Detects APT 12 Malware;http://blog.macnica.net/blog/2017/08/post-fb81.html;2017-08-30 00:00:00;70;Florian Roth;MAL,EXE,APT,FILE IronTiger_ASPXSpy;ASPXSpy detection. It might be used by other fraudsters;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro; -IronTiger_ChangePort_Toolkit_driversinstall;Iron Tiger Malware - Changeport Toolkit driverinstall;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA,MAL,FILE,EXE -IronTiger_ChangePort_Toolkit_ChangePortExe;Iron Tiger Malware - Toolkit ChangePort;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA,MAL,FILE,EXE -IronTiger_dllshellexc2010;dllshellexc2010 Exchange backdoor + remote shell;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;MAL,FILE,EXE -IronTiger_dnstunnel;This rule detects a dns tunnel tool used in Operation Iron Tiger;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA,FILE,EXE -IronTiger_EFH3_encoder;Iron Tiger EFH3 Encoder;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA,FILE,EXE -IronTiger_GetPassword_x64;Iron Tiger Malware - GetPassword x64;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA,MAL,FILE,EXE -IronTiger_GTalk_Trojan;Iron Tiger Malware - GTalk Trojan;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA,MAL,FILE,EXE -IronTiger_HTTP_SOCKS_Proxy_soexe;Iron Tiger Toolset - HTTP SOCKS Proxy soexe;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;HKTL,INDIA,FILE,EXE -IronTiger_NBDDos_Gh0stvariant_dropper;Iron Tiger Malware - NBDDos Gh0stvariant Dropper;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA,MAL,FILE,EXE -IronTiger_PlugX_DosEmulator;Iron Tiger Malware - PlugX DosEmulator;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA,MAL,FILE,EXE -IronTiger_PlugX_FastProxy;Iron Tiger Malware - PlugX FastProxy;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;EXE,INDIA,FILE,HKTL,MAL -IronTiger_PlugX_Server;Iron Tiger Malware - PlugX Server;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA,MAL,FILE,EXE -IronTiger_ReadPWD86;Iron Tiger Malware - ReadPWD86;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA,MAL,FILE,EXE -IronTiger_Ring_Gh0stvariant;Iron Tiger Malware - Ring Gh0stvariant;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA,MAL,FILE,EXE +IronTiger_ChangePort_Toolkit_driversinstall;Iron Tiger Malware - Changeport Toolkit driverinstall;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;MAL,EXE,INDIA,FILE +IronTiger_ChangePort_Toolkit_ChangePortExe;Iron Tiger Malware - Toolkit ChangePort;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;MAL,EXE,INDIA,FILE +IronTiger_dllshellexc2010;dllshellexc2010 Exchange backdoor + remote shell;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;MAL,EXE,FILE +IronTiger_dnstunnel;This rule detects a dns tunnel tool used in Operation Iron Tiger;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;EXE,INDIA,FILE +IronTiger_EFH3_encoder;Iron Tiger EFH3 Encoder;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;EXE,INDIA,FILE +IronTiger_GetPassword_x64;Iron Tiger Malware - GetPassword x64;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;MAL,EXE,INDIA,FILE +IronTiger_GTalk_Trojan;Iron Tiger Malware - GTalk Trojan;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;MAL,EXE,INDIA,FILE +IronTiger_HTTP_SOCKS_Proxy_soexe;Iron Tiger Toolset - HTTP SOCKS Proxy soexe;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;EXE,INDIA,HKTL,FILE +IronTiger_NBDDos_Gh0stvariant_dropper;Iron Tiger Malware - NBDDos Gh0stvariant Dropper;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;MAL,EXE,INDIA,FILE +IronTiger_PlugX_DosEmulator;Iron Tiger Malware - PlugX DosEmulator;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;MAL,EXE,INDIA,FILE +IronTiger_PlugX_FastProxy;Iron Tiger Malware - PlugX FastProxy;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;EXE,INDIA,HKTL,MAL,FILE +IronTiger_PlugX_Server;Iron Tiger Malware - PlugX Server;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;MAL,EXE,INDIA,FILE +IronTiger_ReadPWD86;Iron Tiger Malware - ReadPWD86;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;MAL,EXE,INDIA,FILE +IronTiger_Ring_Gh0stvariant;Iron Tiger Malware - Ring Gh0stvariant;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;MAL,EXE,INDIA,FILE IronTiger_wmiexec;Iron Tiger Tool - wmi.vbs detection;http://goo.gl/T5fSJC;1970-01-01 01:00:00;70;Cyber Safety Solutions, Trend Micro;INDIA -Servantshell;Detects Servantshell malware;https://tinyurl.com/jmp7nrs;2017-02-02 00:00:00;70;Arbor Networks ASERT Nov 2015;FILE,EXE -Malware_Floxif_mpsvc_dll;Malware - Floxif;Internal Research;2017-04-07 00:00:00;70;Florian Roth;MAL,FILE,EXE +Servantshell;Detects Servantshell malware;https://tinyurl.com/jmp7nrs;2017-02-02 00:00:00;70;Arbor Networks ASERT Nov 2015;EXE,FILE +Malware_Floxif_mpsvc_dll;Malware - Floxif;Internal Research;2017-04-07 00:00:00;70;Florian Roth;MAL,EXE,FILE Armitage_msfconsole;Detects Armitage component;Internal Research;2017-12-24 00:00:00;70;Florian Roth;FILE Armitage_MeterpreterSession_Strings;Detects Armitage component;Internal Research;2017-12-24 00:00:00;70;Florian Roth; Armitage_OSX;Detects Armitage component;Internal Research;2017-12-24 00:00:00;70;Florian Roth; -Regin_APT_KernelDriver_Generic_A;Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2;-;2014-11-23 00:00:00;70;@Malwrsignatures - included in APT Scanner THOR;GEN,MAL,APT -Regin_APT_KernelDriver_Generic_B;Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2;-;2014-11-23 00:00:00;70;@Malwrsignatures - included in APT Scanner THOR;GEN,MAL,APT -Regin_APT_KernelDriver_Generic_C;Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2;-;2014-11-23 00:00:00;70;@Malwrsignatures - included in APT Scanner THOR;GEN,MAL,APT +Regin_APT_KernelDriver_Generic_A;Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2;-;2014-11-23 00:00:00;70;@Malwrsignatures - included in APT Scanner THOR;MAL,APT,GEN +Regin_APT_KernelDriver_Generic_B;Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2;-;2014-11-23 00:00:00;70;@Malwrsignatures - included in APT Scanner THOR;MAL,APT,GEN +Regin_APT_KernelDriver_Generic_C;Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2;-;2014-11-23 00:00:00;70;@Malwrsignatures - included in APT Scanner THOR;MAL,APT,GEN Regin_sig_svcsstat;Detects svcstat from Regin report - file svcsstat.exe_sample;-;2014-11-26 00:00:00;70;@MalwrSignatures; Regin_Sample_1;Auto-generated rule - file-3665415_sys;-;2014-11-26 00:00:00;70;@MalwrSignatures; Regin_Sample_2;Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin;-;2014-11-26 00:00:00;70;@MalwrSignatures; @@ -2481,31 +2482,31 @@ Regin_Sample_Set_2;Detects Regin Backdoor sample;-;2014-11-27 00:00:00;70;@Malwr apt_regin_legspin;Rule to detect Regin's Legspin module;https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/;1970-01-01 01:00:00;70;-; apt_regin_hopscotch;Rule to detect Regin's Hopscotch module;https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/;1970-01-01 01:00:00;70;-; Regin_Related_Malware;Malware Sample - maybe Regin related;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL -Malware_QA_not_copy;VT Research QA uploaded malware - file not copy.exe;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;MAL,FILE,EXE -Malware_QA_update;VT Research QA uploaded malware - file update.exe;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;MAL,FILE,EXE -Malware_QA_tls;VT Research QA uploaded malware - file tls.exe;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;MAL,FILE,EXE -Malware_QA_get_The_FucKinG_IP;VT Research QA uploaded malware - file get The FucKinG IP.exe;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;MAL,FILE,EXE -Malware_QA_vqgk;VT Research QA uploaded malware - file vqgk.dll;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;MAL,FILE,EXE +Malware_QA_not_copy;VT Research QA uploaded malware - file not copy.exe;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;MAL,EXE,FILE +Malware_QA_update;VT Research QA uploaded malware - file update.exe;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;MAL,EXE,FILE +Malware_QA_tls;VT Research QA uploaded malware - file tls.exe;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;MAL,EXE,FILE +Malware_QA_get_The_FucKinG_IP;VT Research QA uploaded malware - file get The FucKinG IP.exe;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;MAL,EXE,FILE +Malware_QA_vqgk;VT Research QA uploaded malware - file vqgk.dll;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;MAL,EXE,FILE Malware_QA_1177;VT Research QA uploaded malware - file 1177.vbs;VT Research QA;2016-08-29 00:00:00;80;Florian Roth;MAL,FILE -APT_Malware_PutterPanda_Rel;Detects an APT malware related to PutterPanda;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;APT,EXE,CHINA,FILE,MAL -APT_Malware_PutterPanda_Rel_2;APT Malware related to PutterPanda Group;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;APT,EXE,CHINA,FILE,MAL -APT_Malware_PutterPanda_PSAPI;Detects a malware related to Putter Panda;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -APT_Malware_PutterPanda_WUAUCLT;Detects a malware related to Putter Panda;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;CHINA,MAL -APT_Malware_PutterPanda_Gen1;Detects a malware ;not set;2015-06-03 00:00:00;70;YarGen Rule Generator;MAL,FILE,EXE -Malware_MsUpdater_String_in_EXE;MSUpdater String in Executable;VT Analysis;2015-06-03 00:00:00;50;Florian Roth;FILE,EXE -APT_Malware_PutterPanda_MsUpdater_3;Detects Malware related to PutterPanda - MSUpdater;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -APT_Malware_PutterPanda_MsUpdater_1;Detects Malware related to PutterPanda - MSUpdater;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -APT_Malware_PutterPanda_MsUpdater_2;Detects Malware related to PutterPanda - MSUpdater;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -APT_Malware_PutterPanda_Gen4;Detects Malware related to PutterPanda;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;CHINA,MAL,FILE,EXE -BKDR_Snarasite_Oct17;Auto-generated rule - file 36ba92cba23971ca9d16a0b4f45c853fd5b3108076464d5f2027b0f56054fd62;Internal Research;2017-10-07 00:00:00;70;Florian Roth;FILE,EXE -MAL_Floxif_Generic;Detects Floxif Malware;Internal Research;2018-05-11 00:00:00;80;Florian Roth;MAL,FILE,EXE -MAL_CN_FlyStudio_May18_1;Detects malware / hacktool detected in May 2018;Internal Research;2018-05-11 00:00:00;70;Florian Roth;FILE,EXE +APT_Malware_PutterPanda_Rel;Detects an APT malware related to PutterPanda;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;EXE,CHINA,MAL,APT,FILE +APT_Malware_PutterPanda_Rel_2;APT Malware related to PutterPanda Group;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;EXE,CHINA,MAL,APT,FILE +APT_Malware_PutterPanda_PSAPI;Detects a malware related to Putter Panda;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +APT_Malware_PutterPanda_WUAUCLT;Detects a malware related to Putter Panda;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,CHINA +APT_Malware_PutterPanda_Gen1;Detects a malware ;not set;2015-06-03 00:00:00;70;YarGen Rule Generator;MAL,EXE,FILE +Malware_MsUpdater_String_in_EXE;MSUpdater String in Executable;VT Analysis;2015-06-03 00:00:00;50;Florian Roth;EXE,FILE +APT_Malware_PutterPanda_MsUpdater_3;Detects Malware related to PutterPanda - MSUpdater;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +APT_Malware_PutterPanda_MsUpdater_1;Detects Malware related to PutterPanda - MSUpdater;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +APT_Malware_PutterPanda_MsUpdater_2;Detects Malware related to PutterPanda - MSUpdater;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +APT_Malware_PutterPanda_Gen4;Detects Malware related to PutterPanda;VT Analysis;2015-06-03 00:00:00;70;Florian Roth;MAL,EXE,CHINA,FILE +BKDR_Snarasite_Oct17;Auto-generated rule - file 36ba92cba23971ca9d16a0b4f45c853fd5b3108076464d5f2027b0f56054fd62;Internal Research;2017-10-07 00:00:00;70;Florian Roth;EXE,FILE +MAL_Floxif_Generic;Detects Floxif Malware;Internal Research;2018-05-11 00:00:00;80;Florian Roth;MAL,EXE,FILE +MAL_CN_FlyStudio_May18_1;Detects malware / hacktool detected in May 2018;Internal Research;2018-05-11 00:00:00;70;Florian Roth;EXE,FILE Query_XML_Code_MAL_DOC_PT_2;Detects malware mentioned in TA18-074A;-;1970-01-01 01:00:00;70;other;FILE Query_Javascript_Decode_Function;Detects malware mentioned in TA18-074A;-;1970-01-01 01:00:00;70;other; z_webshell;Detection for the z_webshell;-;2018-01-25 00:00:00;70;DHS NCCIC Hunt and Incident Response Team;FILE -TA18_074A_screen;Detects malware mentioned in TA18-074A;https://www.us-cert.gov/ncas/alerts/TA18-074A;2018-03-16 00:00:00;70;Florian Roth;FILE,EXE +TA18_074A_screen;Detects malware mentioned in TA18-074A;https://www.us-cert.gov/ncas/alerts/TA18-074A;2018-03-16 00:00:00;70;Florian Roth;EXE,FILE TA18_074A_scripts;Detects malware mentioned in TA18-074A;https://www.us-cert.gov/ncas/alerts/TA18-074A;2018-03-16 00:00:00;70;Florian Roth; -Weevely_Webshell;Weevely Webshell - Generic Rule - heavily scrambled tiny web shell;http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html;2014-12-14 00:00:00;60;Florian Roth;GEN,WEBSHELL +Weevely_Webshell;Weevely Webshell - Generic Rule - heavily scrambled tiny web shell;http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html;2014-12-14 00:00:00;60;Florian Roth;WEBSHELL,GEN webshell_h4ntu_shell_powered_by_tsoi_;Web Shell - file h4ntu shell [powered by tsoi].php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_PHP_sql;Web Shell - file sql.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_PHP_a;Web Shell - file a.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL @@ -2601,14 +2602,14 @@ webshell_PHP_G5;Web Shell - file G5.php;-;2014-01-28 00:00:00;70;Florian Roth;WE webshell_PHP_r57142;Web Shell - file r57142.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_jsp_tree;Web Shell - file tree.jsp;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_C99madShell_v_3_0_smowu;Web Shell - file smowu.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL -webshell_simple_backdoor;Web Shell - file simple-backdoor.php;-;2014-01-28 00:00:00;70;Florian Roth;MAL,WEBSHELL +webshell_simple_backdoor;Web Shell - file simple-backdoor.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL,MAL webshell_PHP_404;Web Shell - file 404.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_Macker_s_Private_PHPShell;Web Shell - file Macker's Private PHPShell.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_Antichat_Shell_v1_3_2;Web Shell - file Antichat Shell v1.3.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_Safe_mode_breaker;Web Shell - file Safe mode breaker.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_Sst_Sheller;Web Shell - file Sst-Sheller.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_jsp_list;Web Shell - file list.jsp;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL -webshell_PHPJackal_v1_5;Web Shell - file PHPJackal v1.5.php;-;2014-01-28 00:00:00;70;Florian Roth;MIDDLE_EAST,WEBSHELL +webshell_PHPJackal_v1_5;Web Shell - file PHPJackal v1.5.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL,MIDDLE_EAST webshell_customize;Web Shell - file customize.jsp;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_s72_Shell_v1_1_Coding;Web Shell - file s72 Shell v1.1 Coding.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_jsp_sys3;Web Shell - file sys3.jsp;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL @@ -2626,7 +2627,7 @@ webshell_PHP_150;Web Shell - file 150.php;-;2014-01-28 00:00:00;70;Florian Roth; webshell_jsp_cmdjsp_2;Web Shell - file cmdjsp.jsp;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_PHP_c37;Web Shell - file c37.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_PHP_b37;Web Shell - file b37.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL -webshell_php_backdoor;Web Shell - file php-backdoor.php;-;2014-01-28 00:00:00;70;Florian Roth;MAL,WEBSHELL +webshell_php_backdoor;Web Shell - file php-backdoor.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL,MAL webshell_asp_dabao;Web Shell - file dabao.asp;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_php_2;Web Shell - file 2.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_asp_cmdasp;Web Shell - file cmdasp.asp;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL @@ -2675,7 +2676,7 @@ webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc;Web Shell - from file webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2;Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz;Web Shell;-;2014-01-28 00:00:00;60;Florian Roth;WEBSHELL webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx;Web Shell;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL -webshell_itsec_PHPJackal_itsecteam_shell_jHn;Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php;-;2014-01-28 00:00:00;70;Florian Roth;MIDDLE_EAST,WEBSHELL +webshell_itsec_PHPJackal_itsecteam_shell_jHn;Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL,MIDDLE_EAST webshell_Shell_ci_Biz_was_here_c100_v_xxx;Web Shell;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1;Web Shell;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL webshell_c99_c99shell_c99_w4cking_Shell_xxx;Web Shell;-;2014-01-28 00:00:00;70;Florian Roth;WEBSHELL @@ -2721,7 +2722,7 @@ webshell_webshells_new_php5;Web shells - generated from file php5.php;-;2014-03- webshell_webshells_new_PHP;Web shells - generated from file PHP.php;-;2014-03-28 00:00:00;70;Florian Roth;WEBSHELL webshell_webshells_new_Asp;Web shells - generated from file Asp.asp;-;2014-03-28 00:00:00;70;Florian Roth;WEBSHELL perlbot_pl;Semi-Auto-generated - file perlbot.pl.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL -php_backdoor_php;Semi-Auto-generated - file php-backdoor.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;MAL,WEBSHELL +php_backdoor_php;Semi-Auto-generated - file php-backdoor.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL,MAL Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php;Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL Nshell__1__php_php;Semi-Auto-generated - file Nshell (1).php.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL shankar_php_php;Semi-Auto-generated - file shankar.php.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL @@ -2760,7 +2761,7 @@ aZRaiLPhp_v1_0_php;Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt;-;1970-01- Moroccan_Spamers_Ma_EditioN_By_GhOsT_php;Semi-Auto-generated - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL zacosmall_php;Semi-Auto-generated - file zacosmall.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL CmdAsp_asp;Semi-Auto-generated - file CmdAsp.asp.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL -simple_backdoor_php;Semi-Auto-generated - file simple-backdoor.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;MAL,WEBSHELL +simple_backdoor_php;Semi-Auto-generated - file simple-backdoor.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL,MAL mysql_shell_php;Semi-Auto-generated - file mysql_shell.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL Dive_Shell_1_0___Emperor_Hacking_Team_php;Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL Asmodeus_v0_1_pl;Semi-Auto-generated - file Asmodeus v0.1.pl.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL @@ -2775,14 +2776,14 @@ rootshell_php;Semi-Auto-generated - file rootshell.php.txt;-;1970-01-01 01:00:0 connectback2_pl;Semi-Auto-generated - file connectback2.pl.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL DefaceKeeper_0_2_php;Semi-Auto-generated - file DefaceKeeper_0.2.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL shells_PHP_wso;Semi-Auto-generated - file wso.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL -backdoor1_php;Semi-Auto-generated - file backdoor1.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;MAL,WEBSHELL +backdoor1_php;Semi-Auto-generated - file backdoor1.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL,MAL elmaliseker_asp;Semi-Auto-generated - file elmaliseker.asp.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL indexer_asp;Semi-Auto-generated - file indexer.asp.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL DxShell_php_php;Semi-Auto-generated - file DxShell.php.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL s72_Shell_v1_1_Coding_html;Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL hidshell_php_php;Semi-Auto-generated - file hidshell.php.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL kacak_asp;Semi-Auto-generated - file kacak.asp.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL -PHP_Backdoor_Connect_pl_php;Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;MAL,WEBSHELL +PHP_Backdoor_Connect_pl_php;Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL,MAL Antichat_Socks5_Server_php_php;Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL Antichat_Shell_v1_3_php;Semi-Auto-generated - file Antichat Shell v1.3.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php;Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL @@ -2803,7 +2804,7 @@ Phyton_Shell_py;Semi-Auto-generated - file Phyton Shell.py.txt;-;1970-01-01 01: mysql_tool_php_php;Semi-Auto-generated - file mysql_tool.php.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL Zehir_4_asp;Semi-Auto-generated - file Zehir 4.asp.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL sh_php_php;Semi-Auto-generated - file sh.php.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL -phpbackdoor15_php;Semi-Auto-generated - file phpbackdoor15.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;MAL,WEBSHELL +phpbackdoor15_php;Semi-Auto-generated - file phpbackdoor15.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL,MAL phpjackal_php;Semi-Auto-generated - file phpjackal.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL sql_php_php;Semi-Auto-generated - file sql.php.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL cgi_python_py;Semi-Auto-generated - file cgi-python.py.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL @@ -2815,7 +2816,7 @@ Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php;Semi-Auto-generated - file Saf shell_php_php;Semi-Auto-generated - file shell.php.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL telnet_cgi;Semi-Auto-generated - file telnet.cgi.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL ironshell_php;Semi-Auto-generated - file ironshell.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL -backdoorfr_php;Semi-Auto-generated - file backdoorfr.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;MAL,WEBSHELL +backdoorfr_php;Semi-Auto-generated - file backdoorfr.php.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL,MAL aspydrv_asp;Semi-Auto-generated - file aspydrv.asp.txt;-;1970-01-01 01:00:00;60;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL cmdjsp_jsp;Semi-Auto-generated - file cmdjsp.jsp.txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL h4ntu_shell__powered_by_tsoi_;Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt;-;1970-01-01 01:00:00;70;Neo23x0 Yara BRG + customization by Stefan -dfate- Molls;WEBSHELL @@ -2875,7 +2876,7 @@ WebShell_php_webshells_pws;PHP Webshells Github Archive - file pws.php;-;1970-01 WebShell_reader_asp_php;PHP Webshells Github Archive - file reader.asp.php.txt;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2;PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit;PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -WebShell_php_backdoor;PHP Webshells Github Archive - file php-backdoor.php;-;1970-01-01 01:00:00;70;Florian Roth;MAL,WEBSHELL +WebShell_php_backdoor;PHP Webshells Github Archive - file php-backdoor.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,MAL WebShell_Worse_Linux_Shell;PHP Webshells Github Archive - file Worse Linux Shell.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,LINUX WebShell_php_webshells_pHpINJ;PHP Webshells Github Archive - file pHpINJ.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_php_webshells_NGH;PHP Webshells Github Archive - file NGH.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL @@ -2889,11 +2890,11 @@ WebShell_safe0ver;PHP Webshells Github Archive - file safe0ver.php;-;1970-01-01 WebShell_Uploader;PHP Webshells Github Archive - file Uploader.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_php_webshells_kral;PHP Webshells Github Archive - file kral.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_cgitelnet;PHP Webshells Github Archive - file cgitelnet.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -WebShell_simple_backdoor;PHP Webshells Github Archive - file simple-backdoor.php;-;1970-01-01 01:00:00;70;Florian Roth;MAL,WEBSHELL +WebShell_simple_backdoor;PHP Webshells Github Archive - file simple-backdoor.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,MAL WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2;PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_NTDaddy_v1_9;PHP Webshells Github Archive - file NTDaddy v1.9.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_lamashell;PHP Webshells Github Archive - file lamashell.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -WebShell_Simple_PHP_backdoor_by_DK;PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php;-;1970-01-01 01:00:00;70;Florian Roth;MAL,WEBSHELL +WebShell_Simple_PHP_backdoor_by_DK;PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,MAL WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT;PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_C99madShell_v__2_0_madnet_edition;PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_CmdAsp_asp_php;PHP Webshells Github Archive - file CmdAsp.asp.php.txt;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL @@ -2907,7 +2908,7 @@ WebShell_php_webshells_529;PHP Webshells Github Archive - file 529.php;-;1970-01 WebShell_STNC_WebShell_v0_8;PHP Webshells Github Archive - file STNC WebShell v0.8.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_php_webshells_tryag;PHP Webshells Github Archive - file tryag.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_dC3_Security_Crew_Shell_PRiV_2;PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -WebShell_qsd_php_backdoor;PHP Webshells Github Archive - file qsd-php-backdoor.php;-;1970-01-01 01:00:00;70;Florian Roth;MAL,WEBSHELL +WebShell_qsd_php_backdoor;PHP Webshells Github Archive - file qsd-php-backdoor.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,MAL WebShell_php_webshells_spygrup;PHP Webshells Github Archive - file spygrup.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_Web_shell__c_ShAnKaR;PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz;PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL @@ -2934,27 +2935,27 @@ WebShell_CasuS_1_5;PHP Webshells Github Archive - file CasuS 1.5.php;-;1970-01-0 WebShell_ftpsearch;PHP Webshells Github Archive - file ftpsearch.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_;PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah;PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -WebShell_Generic_PHP_7;PHP Webshells Github Archive;-;1970-01-01 01:00:00;70;Florian Roth;GEN,WEBSHELL +WebShell_Generic_PHP_7;PHP Webshells Github Archive;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,GEN WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall;PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -WebShell_Generic_PHP_8;PHP Webshells Github Archive;-;1970-01-01 01:00:00;70;Florian Roth;GEN,WEBSHELL +WebShell_Generic_PHP_8;PHP Webshells Github Archive;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,GEN WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php;PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -WebShell_Generic_PHP_9;PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php;-;1970-01-01 01:00:00;70;Florian Roth;GEN,WEBSHELL +WebShell_Generic_PHP_9;PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,GEN WebShell__PH_Vayv_PHVayv_PH_Vayv;PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -WebShell_Generic_PHP_1;PHP Webshells Github Archive - from files Dive Shell 1.0;-;1970-01-01 01:00:00;70;Florian Roth;GEN,WEBSHELL -WebShell_Generic_PHP_2;PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php;-;1970-01-01 01:00:00;70;Florian Roth;GEN,WEBSHELL +WebShell_Generic_PHP_1;PHP Webshells Github Archive - from files Dive Shell 1.0;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,GEN +WebShell_Generic_PHP_2;PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,GEN WebShell__CrystalShell_v_1_erne_stres;PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -WebShell_Generic_PHP_3;PHP Webshells Github Archive;-;1970-01-01 01:00:00;70;Florian Roth;GEN,WEBSHELL -WebShell_Generic_PHP_4;PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php;-;1970-01-01 01:00:00;70;Florian Roth;GEN,WEBSHELL +WebShell_Generic_PHP_3;PHP Webshells Github Archive;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,GEN +WebShell_Generic_PHP_4;PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,GEN WebShell_GFS;PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL WebShell__CrystalShell_v_1_sosyete_stres;PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -WebShell_Generic_PHP_10;PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php;-;1970-01-01 01:00:00;70;Florian Roth;GEN,WEBSHELL -WebShell_Generic_PHP_11;PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php;-;1970-01-01 01:00:00;70;Florian Roth;GEN,WEBSHELL +WebShell_Generic_PHP_10;PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,GEN +WebShell_Generic_PHP_11;PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,GEN WebShell__findsock_php_findsock_shell_php_reverse_shell;PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -WebShell_Generic_PHP_6;PHP Webshells Github Archive;-;1970-01-01 01:00:00;70;Florian Roth;GEN,WEBSHELL -Unpack_Injectt;Webshells Auto-generated - file Injectt.exe;-;1970-01-01 01:00:00;70;Florian Roth;HKTL,WEBSHELL +WebShell_Generic_PHP_6;PHP Webshells Github Archive;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,GEN +Unpack_Injectt;Webshells Auto-generated - file Injectt.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,HKTL HYTop_DevPack_fso;Webshells Auto-generated - file fso.asp;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL FeliksPack3___PHP_Shells_ssh;Webshells Auto-generated - file ssh.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -Debug_BDoor;Webshells Auto-generated - file BDoor.dll;-;1970-01-01 01:00:00;70;Florian Roth;MAL,WEBSHELL +Debug_BDoor;Webshells Auto-generated - file BDoor.dll;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,MAL bin_Client;Webshells Auto-generated - file Client.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL ZXshell2_0_rar_Folder_ZXshell;Webshells Auto-generated - file ZXshell.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL RkNTLoad;Webshells Auto-generated - file RkNTLoad.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL @@ -2973,7 +2974,7 @@ EditServer_EXE;Webshells Auto-generated - file EditServer.exe;-;1970-01-01 01:00 FSO_s_reader;Webshells Auto-generated - file reader.asp;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL ASP_CmdAsp;Webshells Auto-generated - file CmdAsp.asp;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL KA_uShell;Webshells Auto-generated - file KA_uShell.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -PHP_Backdoor_v1;Webshells Auto-generated - file PHP Backdoor v1.php;-;1970-01-01 01:00:00;70;Florian Roth;MAL,WEBSHELL +PHP_Backdoor_v1;Webshells Auto-generated - file PHP Backdoor v1.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,MAL svchostdll;Webshells Auto-generated - file svchostdll.dll;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL HYTop_DevPack_server;Webshells Auto-generated - file server.asp;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL vanquish;Webshells Auto-generated - file vanquish.dll;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL @@ -2987,7 +2988,7 @@ BIN_Client;Webshells Auto-generated - file Client.exe;-;1970-01-01 01:00:00;70;F shelltools_g0t_root_uptime;Webshells Auto-generated - file uptime.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL Simple_PHP_BackDooR;Webshells Auto-generated - file Simple_PHP_BackDooR.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL sig_2005Gray;Webshells Auto-generated - file 2005Gray.asp;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -DllInjection;Webshells Auto-generated - file DllInjection.exe;-;1970-01-01 01:00:00;70;Florian Roth;HKTL,WEBSHELL +DllInjection;Webshells Auto-generated - file DllInjection.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,HKTL Mithril_v1_45_Mithril;Webshells Auto-generated - file Mithril.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL hkshell_hkrmv;Webshells Auto-generated - file hkrmv.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL phpshell;Webshells Auto-generated - file phpshell.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL @@ -3021,7 +3022,7 @@ FSO_s_ntdaddy;Webshells Auto-generated - file ntdaddy.asp;-;1970-01-01 01:00:00; nstview_nstview;Webshells Auto-generated - file nstview.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL HYTop_DevPack_upload;Webshells Auto-generated - file upload.asp;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL PasswordReminder;Webshells Auto-generated - file PasswordReminder.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -Pack_InjectT;Webshells Auto-generated - file InjectT.exe;-;1970-01-01 01:00:00;70;Florian Roth;HKTL,WEBSHELL +Pack_InjectT;Webshells Auto-generated - file InjectT.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,HKTL FSO_s_RemExp_2;Webshells Auto-generated - file RemExp.asp;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL FSO_s_c99;Webshells Auto-generated - file c99.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL rknt_zip_Folder_RkNT;Webshells Auto-generated - file RkNT.dll;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL @@ -3086,7 +3087,7 @@ down_rar_Folder_down;Webshells Auto-generated - file down.asp;-;1970-01-01 01:00 cmdShell;Webshells Auto-generated - file cmdShell.asp;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL ZXshell2_0_rar_Folder_nc;Webshells Auto-generated - file nc.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL portlessinst;Webshells Auto-generated - file portlessinst.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL -SetupBDoor;Webshells Auto-generated - file SetupBDoor.exe;-;1970-01-01 01:00:00;70;Florian Roth;MAL,WEBSHELL +SetupBDoor;Webshells Auto-generated - file SetupBDoor.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL,MAL phpshell_3;Webshells Auto-generated - file phpshell.php;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL BIN_Server;Webshells Auto-generated - file Server.exe;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL HYTop2006_rar_Folder_2006;Webshells Auto-generated - file 2006.asp;-;1970-01-01 01:00:00;70;Florian Roth;WEBSHELL @@ -3098,8 +3099,8 @@ JSP_Browser_APT_webshell;VonLoesch JSP Browser used as web shell by APT groups - JSP_jfigueiredo_APT_webshell;JSP Browser used as web shell by APT groups - author: jfigueiredo;http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp;2014-12-10 00:00:00;60;F.Roth;WEBSHELL,APT JSP_jfigueiredo_APT_webshell_2;JSP Browser used as web shell by APT groups - author: jfigueiredo;http://ceso.googlecode.com/svn/web/bko/filemanager/;2014-12-10 00:00:00;60;F.Roth;WEBSHELL,APT Webshell_Insomnia;Insomnia Webshell - file InsomniaShell.aspx;http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/;2014-12-09 00:00:00;80;Florian Roth;WEBSHELL -HawkEye_PHP_Panel;Detects HawkEye Keyloggers PHP Panel;-;2014-12-14 00:00:00;60;Florian Roth;HKTL,WEBSHELL -SoakSoak_Infected_Wordpress;Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX;http://goo.gl/1GzWUX;2014-12-15 00:00:00;60;Florian Roth;OFFICE,WEBSHELL +HawkEye_PHP_Panel;Detects HawkEye Keyloggers PHP Panel;-;2014-12-14 00:00:00;60;Florian Roth;WEBSHELL,HKTL +SoakSoak_Infected_Wordpress;Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX;http://goo.gl/1GzWUX;2014-12-15 00:00:00;60;Florian Roth;WEBSHELL,OFFICE Pastebin_Webshell;Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs;http://goo.gl/7dbyZs;2015-01-13 00:00:00;70;Florian Roth;WEBSHELL ASPXspy2;Web shell - file ASPXspy2.aspx;not set;2015-01-24 00:00:00;70;Florian Roth;WEBSHELL Webshell_27_9_c66_c99;Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ...;https://github.com/nikicat/web-malware-collection;2016-01-11 00:00:00;70;Florian Roth;WEBSHELL @@ -3107,60 +3108,60 @@ Webshell_acid_AntiSecShell_3;Detects Webshell Acid;https://github.com/nikicat/we Webshell_c99_4;Detects C99 Webshell;https://github.com/nikicat/web-malware-collection;2016-01-11 00:00:00;70;Florian Roth;WEBSHELL Webshell_r57shell_2;Detects Webshell R57;https://github.com/nikicat/web-malware-collection;2016-01-11 00:00:00;70;Florian Roth;WEBSHELL Webshell_27_9_acid_c99_locus7s;Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt;https://github.com/nikicat/web-malware-collection;2016-01-11 00:00:00;70;Florian Roth;WEBSHELL -Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57;Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ...;https://github.com/nikicat/web-malware-collection;2016-01-11 00:00:00;70;Florian Roth;MAL,WEBSHELL +Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57;Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ...;https://github.com/nikicat/web-malware-collection;2016-01-11 00:00:00;70;Florian Roth;WEBSHELL,MAL Webshell_c100;Detects Webshell - rule generated from from files c100 v. 777shell;https://github.com/nikicat/web-malware-collection;2016-01-11 00:00:00;70;Florian Roth;WEBSHELL Webshell_AcidPoison;Detects Poison Sh3ll - Webshell;https://github.com/nikicat/web-malware-collection;2016-01-11 00:00:00;70;Florian Roth;WEBSHELL Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256;Detects Webshell;https://github.com/nikicat/web-malware-collection;2016-01-11 00:00:00;70;Florian Roth;WEBSHELL Webshell_Ayyildiz;Detects Webshell;https://github.com/nikicat/web-malware-collection;2016-01-11 00:00:00;70;Florian Roth;WEBSHELL Webshell_zehir;Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt;https://github.com/nikicat/web-malware-collection;2016-01-11 00:00:00;70;Florian Roth;WEBSHELL -UploadShell_98038f1efa4203432349badabad76d44337319a6;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;FILE,WEBSHELL -DKShell_f0772be3c95802a2d1e7a4a3f5a45dcdef6997f3;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;FILE,WEBSHELL -Unknown_8af033424f9590a15472a23cc3236e68070b952e;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;FILE,WEBSHELL -DkShell_4000bd83451f0d8501a9dfad60dce39e55ae167d;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;FILE,WEBSHELL -WebShell_5786d7d9f4b0df731d79ed927fb5a124195fc901;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;FILE,WEBSHELL -webshell_e8eaf8da94012e866e51547cd63bb996379690bf;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;FILE,WEBSHELL -Unknown_0f06c5d1b32f4994c3b3abf8bb76d5468f105167;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;FILE,WEBSHELL -WSOShell_0bbebaf46f87718caba581163d4beed56ddf73a7;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;FILE,WEBSHELL -WebShell_Generic_1609_A;Auto-generated rule;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;FILE,WEBSHELL,GEN -Nishang_Webshell;Detects a ASPX web shell;https://github.com/samratashok/nishang;2016-09-11 00:00:00;70;Florian Roth;FILE,WEBSHELL +UploadShell_98038f1efa4203432349badabad76d44337319a6;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;WEBSHELL,FILE +DKShell_f0772be3c95802a2d1e7a4a3f5a45dcdef6997f3;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;WEBSHELL,FILE +Unknown_8af033424f9590a15472a23cc3236e68070b952e;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;WEBSHELL,FILE +DkShell_4000bd83451f0d8501a9dfad60dce39e55ae167d;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;WEBSHELL,FILE +WebShell_5786d7d9f4b0df731d79ed927fb5a124195fc901;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;WEBSHELL,FILE +webshell_e8eaf8da94012e866e51547cd63bb996379690bf;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;WEBSHELL,FILE +Unknown_0f06c5d1b32f4994c3b3abf8bb76d5468f105167;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;WEBSHELL,FILE +WSOShell_0bbebaf46f87718caba581163d4beed56ddf73a7;Detects a web shell;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;WEBSHELL,FILE +WebShell_Generic_1609_A;Auto-generated rule;https://github.com/bartblaze/PHP-backdoors;2016-09-10 00:00:00;70;Florian Roth;WEBSHELL,GEN,FILE +Nishang_Webshell;Detects a ASPX web shell;https://github.com/samratashok/nishang;2016-09-11 00:00:00;70;Florian Roth;WEBSHELL,FILE PHP_Webshell_1_Feb17;Detects a simple cloaked PHP web shell;https://isc.sans.edu/diary/Analysis+of+a+Simple+PHP+Backdoor/22127;2017-02-28 00:00:00;70;Florian Roth;WEBSHELL -Webshell_Tiny_JSP_2;Detects a tiny webshell - chine chopper;-;2015-12-05 00:00:00;100;Florian Roth;FILE,WEBSHELL -Wordpress_Config_Webshell_Preprend;Webshell that uses standard Wordpress wp-config.php file and appends the malicious code in front of it;Internal Research;2017-06-25 00:00:00;65;Florian Roth;FILE,OFFICE,WEBSHELL -PAS_Webshell_Encoded;Detects a PAS webshell;http://blog.talosintelligence.com/2017/07/the-medoc-connection.html;2017-07-11 00:00:00;80;Florian Roth;FILE,WEBSHELL +Webshell_Tiny_JSP_2;Detects a tiny webshell - chine chopper;-;2015-12-05 00:00:00;100;Florian Roth;WEBSHELL,FILE +Wordpress_Config_Webshell_Preprend;Webshell that uses standard Wordpress wp-config.php file and appends the malicious code in front of it;Internal Research;2017-06-25 00:00:00;65;Florian Roth;WEBSHELL,OFFICE,FILE +PAS_Webshell_Encoded;Detects a PAS webshell;http://blog.talosintelligence.com/2017/07/the-medoc-connection.html;2017-07-11 00:00:00;80;Florian Roth;WEBSHELL,FILE ALFA_SHELL;Detects web shell often used by Iranian APT groups;Internal Research - APT33;2017-09-21 00:00:00;70;Florian Roth;WEBSHELL,APT -Webshell_FOPO_Obfuscation_APT_ON_Nov17_1;Detects malware from NK APT incident DE;Internal Research - ON;2017-11-17 00:00:00;70;Florian Roth;FILE,OBFUS,WEBSHELL,APT -WebShell_JexBoss_JSP_1;Detects JexBoss JSPs;Internal Research;2018-11-08 00:00:00;70;Florian Roth;FILE,WEBSHELL -WebShell_JexBoss_WAR_1;Detects JexBoss versions in WAR form;Internal Research;2018-11-08 00:00:00;70;Florian Roth;FILE,WEBSHELL -webshell_tinyasp;Detects 24 byte ASP webshell and variations;-;2019-01-09 00:00:00;70;Jeff Beley;FILE,WEBSHELL +Webshell_FOPO_Obfuscation_APT_ON_Nov17_1;Detects malware from NK APT incident DE;Internal Research - ON;2017-11-17 00:00:00;70;Florian Roth;WEBSHELL,OBFUS,APT,FILE +WebShell_JexBoss_JSP_1;Detects JexBoss JSPs;Internal Research;2018-11-08 00:00:00;70;Florian Roth;WEBSHELL,FILE +WebShell_JexBoss_WAR_1;Detects JexBoss versions in WAR form;Internal Research;2018-11-08 00:00:00;70;Florian Roth;WEBSHELL,FILE +webshell_tinyasp;Detects 24 byte ASP webshell and variations;-;2019-01-09 00:00:00;70;Jeff Beley;WEBSHELL,FILE Office_AutoOpen_Macro;Detects an Microsoft Office file that contains the AutoOpen Macro function;-;2015-05-28 00:00:00;40;Florian Roth;OFFICE,FILE -Office_as_MHTML;Detects an Microsoft Office saved as a MHTML file (false positives are possible but rare; many matches on CVE-2012-0158);https://www.trustwave.com/Resources/SpiderLabs-Blog/Malicious-Macros-Evades-Detection-by-Using-Unusual-File-Format/;2015-05-28 00:00:00;40;Florian Roth;OFFICE,FILE,EXPLOIT +Office_as_MHTML;Detects an Microsoft Office saved as a MHTML file (false positives are possible but rare; many matches on CVE-2012-0158);https://www.trustwave.com/Resources/SpiderLabs-Blog/Malicious-Macros-Evades-Detection-by-Using-Unusual-File-Format/;2015-05-28 00:00:00;40;Florian Roth;EXPLOIT,OFFICE,FILE Docm_in_PDF;Detects an embedded DOCM in PDF combined with OpenAction;Internal Research;2017-05-15 00:00:00;70;Florian Roth;FILE OSX_backdoor_EvilOSX;EvilOSX MacOS/OSX backdoor;https://github.com/Marten4n6/EvilOSX, https://twitter.com/JohnLaTwC/status/966139336436498432;2018-02-23 00:00:00;70;John Lambert @JohnLaTwC;MAL,MACOS malrtf_ole2link;Detect weaponized RTF documents with OLE2Link exploit;-;1970-01-01 01:00:00;70;@h3x2b ;FILE skeleton_key_patcher;Skeleton Key Patcher from Dell SecureWorks Report http://goo.gl/aAk3lN;http://goo.gl/aAk3lN;2015-01-13 00:00:00;70;Dell SecureWorks Counter Threat Unit; skeleton_key_injected_code;Skeleton Key injected Code http://goo.gl/aAk3lN;http://goo.gl/aAk3lN;2015-01-13 00:00:00;70;Dell SecureWorks Counter Threat Unit; -Rombertik_CarbonGrabber;Detects CarbonGrabber alias Rombertik - file Copy#064046.scr;http://blogs.cisco.com/security/talos/rombertik;2015-05-05 00:00:00;70;Florian Roth;FILE,EXE +Rombertik_CarbonGrabber;Detects CarbonGrabber alias Rombertik - file Copy#064046.scr;http://blogs.cisco.com/security/talos/rombertik;2015-05-05 00:00:00;70;Florian Roth;EXE,FILE Rombertik_CarbonGrabber_Panel_InstallScript;Detects CarbonGrabber alias Rombertik panel install script - file install.php;http://blogs.cisco.com/security/talos/rombertik;2015-05-05 00:00:00;70;Florian Roth; Rombertik_CarbonGrabber_Panel;Detects CarbonGrabber alias Rombertik Panel - file index.php;http://blogs.cisco.com/security/talos/rombertik;2015-05-05 00:00:00;70;Florian Roth; -Rombertik_CarbonGrabber_Builder;Detects CarbonGrabber alias Rombertik Builder - file Builder.exe;http://blogs.cisco.com/security/talos/rombertik;2015-05-05 00:00:00;70;Florian Roth;FILE,EXE -Rombertik_CarbonGrabber_Builder_Server;Detects CarbonGrabber alias Rombertik Builder Server - file Server.exe;http://blogs.cisco.com/security/talos/rombertik;2015-05-05 00:00:00;70;Florian Roth;FILE,EXE +Rombertik_CarbonGrabber_Builder;Detects CarbonGrabber alias Rombertik Builder - file Builder.exe;http://blogs.cisco.com/security/talos/rombertik;2015-05-05 00:00:00;70;Florian Roth;EXE,FILE +Rombertik_CarbonGrabber_Builder_Server;Detects CarbonGrabber alias Rombertik Builder Server - file Server.exe;http://blogs.cisco.com/security/talos/rombertik;2015-05-05 00:00:00;70;Florian Roth;EXE,FILE Ysoserial_Payload_MozillaRhino1;Ysoserial Payloads - file MozillaRhino1.bin;https://github.com/frohoff/ysoserial;2017-02-04 00:00:00;70;Florian Roth;FILE Ysoserial_Payload_C3P0;Ysoserial Payloads - file C3P0.bin;https://github.com/frohoff/ysoserial;2017-02-04 00:00:00;70;Florian Roth;FILE Ysoserial_Payload_Spring1;Ysoserial Payloads - file Spring1.bin;https://github.com/frohoff/ysoserial;2017-02-04 00:00:00;70;Florian Roth; Ysoserial_Payload;Ysoserial Payloads;https://github.com/frohoff/ysoserial;2017-02-04 00:00:00;70;Florian Roth;FILE Ysoserial_Payload_3;Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin;https://github.com/frohoff/ysoserial;2017-02-04 00:00:00;70;Florian Roth;FILE StuxNet_Malware_1;Stuxnet Sample - file malware.exe;Internal Research;2016-07-09 00:00:00;70;Florian Roth;MAL -Stuxnet_Malware_2;Stuxnet Sample - file 63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802;Internal Research;2016-07-09 00:00:00;70;Florian Roth;MAL,FILE,EXE -StuxNet_dll;Stuxnet Sample - file dll.dll;Internal Research;2016-07-09 00:00:00;70;Florian Roth;FILE,EXE +Stuxnet_Malware_2;Stuxnet Sample - file 63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802;Internal Research;2016-07-09 00:00:00;70;Florian Roth;MAL,EXE,FILE +StuxNet_dll;Stuxnet Sample - file dll.dll;Internal Research;2016-07-09 00:00:00;70;Florian Roth;EXE,FILE Stuxnet_Shortcut_to;Stuxnet Sample - file Copy of Shortcut to.lnk;Internal Research;2016-07-09 00:00:00;70;Florian Roth;FILE -Stuxnet_Malware_3;Stuxnet Sample - file ~WTR4141.tmp;Internal Research;2016-07-09 00:00:00;70;Florian Roth;MAL,FILE,EXE -Stuxnet_Malware_4;Stuxnet Sample - file 0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198;Internal Research;2016-07-09 00:00:00;70;Florian Roth;MAL,FILE,EXE +Stuxnet_Malware_3;Stuxnet Sample - file ~WTR4141.tmp;Internal Research;2016-07-09 00:00:00;70;Florian Roth;MAL,EXE,FILE +Stuxnet_Malware_4;Stuxnet Sample - file 0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198;Internal Research;2016-07-09 00:00:00;70;Florian Roth;MAL,EXE,FILE Stuxnet_maindll_decrypted_unpacked;Stuxnet Sample - file maindll.decrypted.unpacked.dll_;Internal Research;2016-07-09 00:00:00;70;Florian Roth; -Stuxnet_s7hkimdb;Stuxnet Sample - file s7hkimdb.dll;Internal Research;2016-07-09 00:00:00;70;Florian Roth;FILE,EXE -Foudre_Backdoor_1;Detects Foudre Backdoor;https://goo.gl/Nbqbt6;2017-08-01 00:00:00;70;Florian Roth;MAL,FILE,EXE -Foudre_Backdoor_Dropper_1;Detects Foudre Backdoor;https://goo.gl/Nbqbt6;2017-08-01 00:00:00;70;Florian Roth;MAL,FILE,EXE -Foudre_Backdoor_Component_1;Detects Foudre Backdoor;https://goo.gl/Nbqbt6;2017-08-01 00:00:00;70;Florian Roth;MAL,FILE,EXE -Foudre_Backdoor_SFX;Detects Foudre Backdoor SFX;https://goo.gl/Nbqbt6;2017-08-01 00:00:00;70;Florian Roth;MAL,FILE,EXE +Stuxnet_s7hkimdb;Stuxnet Sample - file s7hkimdb.dll;Internal Research;2016-07-09 00:00:00;70;Florian Roth;EXE,FILE +Foudre_Backdoor_1;Detects Foudre Backdoor;https://goo.gl/Nbqbt6;2017-08-01 00:00:00;70;Florian Roth;MAL,EXE,FILE +Foudre_Backdoor_Dropper_1;Detects Foudre Backdoor;https://goo.gl/Nbqbt6;2017-08-01 00:00:00;70;Florian Roth;MAL,EXE,FILE +Foudre_Backdoor_Component_1;Detects Foudre Backdoor;https://goo.gl/Nbqbt6;2017-08-01 00:00:00;70;Florian Roth;MAL,EXE,FILE +Foudre_Backdoor_SFX;Detects Foudre Backdoor SFX;https://goo.gl/Nbqbt6;2017-08-01 00:00:00;70;Florian Roth;MAL,EXE,FILE apt_RU_MoonlightMaze_customlokitools;Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings;https://en.wikipedia.org/wiki/Moonlight_Maze;2017-03-15 00:00:00;70;Kaspersky Lab; apt_RU_MoonlightMaze_customsniffer;Rule to detect Moonlight Maze sniffer tools;https://en.wikipedia.org/wiki/Moonlight_Maze;2017-03-15 00:00:00;70;Kaspersky Lab; loki2crypto;Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */;https://en.wikipedia.org/wiki/Moonlight_Maze;2017-03-21 00:00:00;70;Costin Raiu, Kaspersky Lab; @@ -3171,8 +3172,8 @@ apt_RU_MoonlightMaze_encrypted_keylog;Rule to detect Moonlight Maze encrypted ke apt_RU_MoonlightMaze_IRIX_exploit_GEN;Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers;https://en.wikipedia.org/wiki/Moonlight_Maze;2017-03-27 00:00:00;70;Kaspersky Lab;FILE apt_RU_MoonlightMaze_u_logcleaner;Rule to detect log cleaners based on utclean.c;https://en.wikipedia.org/wiki/Moonlight_Maze;2017-03-27 00:00:00;70;Kaspersky Lab;FILE apt_RU_MoonlightMaze_wipe;Rule to detect log cleaner based on wipe.c;https://en.wikipedia.org/wiki/Moonlight_Maze;2017-03-27 00:00:00;70;Kaspersky Lab;FILE -APT_MAL_DNS_Hijacking_Campaign_AA19_024A;Detects malware used in DNS Hijackign campaign;https://www.us-cert.gov/ncas/alerts/AA19-024A;2019-01-25 00:00:00;70;Florian Roth;FILE,EXE -SUSP_Office_Dropper_Strings;Detects Office droppers that include a notice to enable active content;Internal Research;2018-09-13 00:00:00;70;Florian Roth;OFFICE,MAL,FILE +APT_MAL_DNS_Hijacking_Campaign_AA19_024A;Detects malware used in DNS Hijackign campaign;https://www.us-cert.gov/ncas/alerts/AA19-024A;2019-01-25 00:00:00;70;Florian Roth;EXE,FILE +SUSP_Office_Dropper_Strings;Detects Office droppers that include a notice to enable active content;Internal Research;2018-09-13 00:00:00;70;Florian Roth;MAL,OFFICE,FILE SUSP_EnableContent_String;Detects strings in macro enabled malicious documents;Internal Research;2018-11-19 00:00:00;60;Florian Roth;FILE Trojan_Win32_PlaSrv;Hotpatching Injector;-;1970-01-01 01:00:00;70;Microsoft;HKTL Trojan_Win32_Platual;Installer component;-;1970-01-01 01:00:00;70;Microsoft;