False Positive Reduction

2024-11-06 10:05:18 +00:00 · 2019-02-19 23:46:28 +01:00 · 2019-02-19 23:46:28 +01:00 · d0b1e17dec
commit d0b1e17dec
parent 4c5cbb4ee2
3 changed files with 13 additions and 19 deletions
--- a/yara/apt_eqgrp_apr17.yar
+++ b/yara/apt_eqgrp_apr17.yar
@ -506,23 +506,6 @@ rule EquationGroup_exze {
      ( uint16(0) == 0x457f and filesize < 80KB and all of them )
 }

-rule EquationGroup_porkserver {
-   meta:
-      description = "Equation Group hack tool leaked by ShadowBrokers- file porkserver"
-      license = "https://creativecommons.org/licenses/by-nc/4.0/"
-      author = "Florian Roth"
-      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
-      date = "2017-04-08"
-      hash1 = "7b5f86e289047dd673e8a09438d49ec43832b561bac39b95098f5bf4095b8b4a"
-   strings:
-      $s1 = "%s/%s server failing (looping), service terminated" fullword ascii
-      $s2 = "getpwnam: %s: No such user" fullword ascii
-      $s3 = "execv %s: %m" fullword ascii
-      $s4 = "%s/%s: unknown service" fullword ascii
-   condition:
-      ( uint16(0) == 0x457f and filesize < 70KB and 3 of them )
-}
-
 rule EquationGroup_DUL {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file DUL"
--- a/yara/apt_project_sauron_extras.yar
+++ b/yara/apt_project_sauron_extras.yar
@ -18,12 +18,24 @@ rule APT_Project_Sauron_Scripts {
 		$x10 = "cat VirtualEncryptedNetwork.ini|grep"
 		$x11 = "if string.lower(k) == \"securityproviders\" then"
 		$x12 = "exec2str(\"plist b | grep netsvcs\")"
-		$x13 = ".*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*"
 		$x14 = "SAURON_KBLOG_KEY ="
 	condition:
 		1 of them
 }

+rule HKTL_Dsniff {
+   meta:
+      description = "Detects Dsniff hack tool"
+      author = "Florian Roth"
+      score = 55
+      reference = "https://goo.gl/eFoP4A"
+      date = "2019-02-19"
+   strings:
+      $x1 = ".*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*"
+   condition:
+      1 of them
+}
+
 rule APT_Project_Sauron_arping_module {
 	meta:
 		description = "Detects strings from arping module - Project Sauron report by Kaspersky"
--- a/yara/thor-hacktools.yar
+++ b/yara/thor-hacktools.yar
@ -42,7 +42,6 @@ rule Amplia_Security_Tool
      nodeepdive = 1
    strings:
      $a = "Amplia Security"
-      $b = "Hernan Ochoa"
      $c = "getlsasrvaddr.exe"
      $d = "Cannot get PID of LSASS.EXE"
      $e = "extract the TGT session key"