valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Minor changes to rule FP exclusions

Browse Source
This commit is contained in:
Florian Roth 2017-09-29 08:47:22 +02:00
parent f15d1fef2a
commit 8b3a138995
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
yara/thor-hacktools.yar
View File

@ -2906,7 +2906,7 @@ rule mimikatz_lsass_mdmp
strings: strings:
$lsass = "System32\\lsass.exe" wide nocase $lsass = "System32\\lsass.exe" wide nocase
condition: condition:
(uint32(0) == 0x504d444d) and $lsass and filesize > 50000KB and not filename matches /^WER/ (uint32(0) == 0x504d444d) and $lsass and filesize > 50000KB and not filename matches /WER/
} }
rule wce rule wce

2
yara/thor_inverse_matches.yar
View File

@ -300,7 +300,7 @@ rule APT_Cloaked_PsExec
$s1 = "Sysinternals PsExec" wide fullword $s1 = "Sysinternals PsExec" wide fullword
condition: condition:
uint16(0) == 0x5a4d and $s0 and $s1 uint16(0) == 0x5a4d and $s0 and $s1
and not filename matches /^(psexec.exe|PSEXESVC.EXE)$/is and not filename matches /(psexec.exe|PSEXESVC.EXE)$/is
and not filepath matches /RECYCLER\\S-1/ and not filepath matches /RECYCLER\\S-1/
} }