signature-base

mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00

Author	SHA1	Message	Date
Florian Roth	7a9d7b9abd	APT Turla Neuron	2017-11-25 00:40:07 +01:00
Florian Roth	dc521f581d	Fixed OilRig rule - missing pe module	2017-11-24 13:06:18 +01:00
Florian Roth	a6383df158	CVE-2017-11882 by John Davison	2017-11-23 20:33:58 +01:00
Florian Roth	f8f8193249	Typo in ALFA shell rule	2017-11-22 18:15:00 +01:00
Florian Roth	15cbfd9048	New OilRig signature https://twitter.com/ClearskySec/status/933280188733018113	2017-11-22 18:14:50 +01:00
Florian Roth	f11f0b27c1	Malicious lnk file rule	2017-11-22 16:46:31 +01:00
Florian Roth	8515a0b301	Improved description and added note for known false positives	2017-11-22 13:42:44 +01:00
Florian Roth	30610ff120	Webshell FOPO Obfuscation	2017-11-18 20:04:29 +01:00
Florian Roth	6943c01fc2	Alert (TA17-318B) HIDDEN COBRA – Volgmer https://www.us-cert.gov/ncas/alerts/TA17-318B	2017-11-15 21:45:49 +01:00
Florian Roth	b7621bcb99	Alert (TA17-318A) HIDDEN COBRA – FALLCHILL https://www.us-cert.gov/ncas/alerts/TA17-318A	2017-11-15 21:45:10 +01:00
Florian Roth	b187609d40	Reaver and SunOrcal malware https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/	2017-11-12 15:13:38 +01:00
Florian Roth	55868b5eff	False Positive Reduction	2017-11-08 18:39:40 +01:00
Florian Roth	5bd15e9651	Bronze Butler Daserf malware	2017-11-08 12:52:38 +01:00
Florian Roth	3795d702b3	CrunchRAT https://github.com/t3ntman/CrunchRAT	2017-11-04 01:57:05 +01:00
Florian Roth	be700a3c42	PowerShell Obfuscated Invoke - PE Loader	2017-11-03 08:28:52 +01:00
Florian Roth	b6522edf1f	KeyBoys malware http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html	2017-11-03 08:28:16 +01:00
Florian Roth	f33f0140eb	Silence malware https://securelist.com/the-silence/83009/	2017-11-02 09:07:58 +01:00
Florian Roth	6d85ad4e2e	Missing "pe" module import in Kasper rule	2017-10-31 12:11:27 +01:00
Florian Roth	1e22089eee	Missing "pe" module import in APT28 rule	2017-10-31 11:29:48 +01:00
Florian Roth	8ffdc4c43c	Kasper malware update	2017-10-31 10:44:39 +01:00
Florian Roth	49ce0546e9	APT Sofacy Hospitality report malware by CSECybsec http://csecybsec.com/download/zlab/APT28_Hospitality_Malware_report.pdf	2017-10-31 10:44:17 +01:00
Florian Roth	c83cf1a6ed	Improved DDE in Office documents rules by NVISO Labs	2017-10-25 23:44:30 +02:00
Florian Roth	957ac24585	BadRabbit ransomware	2017-10-25 08:57:00 +02:00
Florian Roth	e2e253c2f2	APT28 / Sofacy malware http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html	2017-10-23 16:56:32 +02:00
Florian Roth	b542e0635c	Cleanup	2017-10-23 16:54:53 +02:00
Florian Roth	81e2977704	False Positive Reduction	2017-10-23 16:54:34 +02:00
Florian Roth	3947d5adfd	Changed wording after quality checks	2017-10-21 19:56:50 +02:00
Florian Roth	bce45632c9	US-CERT TA17-293A - modified YARA rule set https://www.us-cert.gov/ncas/alerts/TA17-293A	2017-10-21 19:53:02 +02:00
Florian Roth	c9a9932b7b	Bad Patch report YARA signatures https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/	2017-10-21 16:27:18 +02:00
Florian Roth	43d5b1737f	Bugfix in Puppy RAT rule	2017-10-20 09:54:59 +02:00
Florian Roth	8e01421bc4	Leviathan APT - Maritime and Defense Targets https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets	2017-10-19 09:34:07 +02:00
Florian Roth	32fe1a4906	OilRig YARA rules derived from PaloAltoNetwork reports Sep/Oct 17	2017-10-19 09:29:59 +02:00
Florian Roth	1f8312fad0	Replaced non-ASCII character	2017-10-19 01:17:59 +02:00
Florian Roth	8da0b76701	False Positive Reduction - apply to files only (not memory)	2017-10-18 21:58:57 +02:00
Florian Roth	6f3e4bd79c	Activate pe.imphash() expressions in my rules	2017-10-18 21:58:30 +02:00
Florian Roth	2ffd97c1d9	HKDoor Rules by Cylance Inc. https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html	2017-10-18 21:57:37 +02:00
Florian Roth	ae643f78d9	FEIB Report - by BEA systems https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html	2017-10-17 08:31:59 +02:00
Florian Roth	8c994452c4	Improved Reflective Loaders Rule	2017-10-15 10:53:06 +02:00
Florian Roth	04b278d87b	Bronze Butler malware https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses	2017-10-15 10:52:49 +02:00
Florian Roth	568aa89d4f	PowerShell Casing Anomaly Adjustments	2017-10-14 23:00:13 +02:00
Florian Roth	3f27b85df6	False Positive Reduction	2017-10-14 12:59:00 +02:00
Florian Roth	430b1b88a2	Saudi Aramco Phishing campaign malware	2017-10-12 09:15:20 +02:00
Florian Roth	96d9ba4858	Results for the DDEAUTO rules are much better	2017-10-11 20:58:16 +02:00
Florian Roth	d3f19e9bf4	Too many false positives	2017-10-11 20:46:16 +02:00
Florian Roth	dca5a3dcf7	Missing PE module imports, minor changes	2017-10-11 18:43:19 +02:00
Florian Roth	ae9f920a2a	Reduced score due to possible false positives	2017-10-11 16:21:43 +02:00
Florian Roth	364da99da5	Decting DDE in Office Docs - Sigs by NVISO Labs https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/	2017-10-11 14:10:38 +02:00
Florian Roth	adf95a4396	Combined PS Anomaly rules to a single rule	2017-10-11 10:37:33 +02:00
Florian Roth	30f2d84d53	PS Anomaly - New version missed other positives / including both versions	2017-10-11 10:13:10 +02:00
Florian Roth	12ea6bc9bf	Backdoor Snarasite	2017-10-08 00:14:03 +02:00
Florian Roth	3aad0049ec	Backdoor Banker Corkow https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf	2017-10-08 00:13:52 +02:00
Florian Roth	5c889db4a9	FreeMilk YARA rules bugfix - thx to M. Selck	2017-10-06 23:54:13 +02:00
Florian Roth	97c97a803c	Uncommon size adjustments for new Win10 files	2017-10-06 10:19:51 +02:00
Florian Roth	dbec537768	FreeMilk APT - Palo Alto Networks Report https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/	2017-10-05 20:42:55 +02:00
Florian Roth	3560d720f7	URL file pointing to local EXE	2017-10-04 14:42:34 +02:00
Florian Roth	f44c9b9fcb	PowerShell improved casing anomaly rule, WScript anomaly rule	2017-10-03 19:36:54 +02:00
Florian Roth	354ea043bb	Hacktool RedSails https://github.com/BeetleChunks/redsails	2017-10-03 19:36:17 +02:00
Florian Roth	3ea15953b9	WinDivert Driver - PUA: User mode packet capturing driver	2017-10-03 19:35:49 +02:00
Florian Roth	2b6cc72f64	CMSTAR Malware https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/	2017-10-03 19:35:15 +02:00
Florian Roth	8574935d17	APT17 Malware September 2017 http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/	2017-10-03 19:34:53 +02:00
Florian Roth	1d8093a9de	New suspicious PowerShell scripts	2017-10-01 00:24:31 +02:00
Florian Roth	8b3a138995	Minor changes to rule FP exclusions	2017-09-29 08:47:22 +02:00
Florian Roth	f15d1fef2a	Xtreme RAT Sigs	2017-09-29 08:46:42 +02:00
Florian Roth	ae82dd03a8	False Positive Reduction	2017-09-27 16:35:14 +02:00
Florian Roth	c5737c7c37	Microcin YARA rules derived from samples in report https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf	2017-09-27 16:34:34 +02:00
Florian Roth	78ff581ede	Removed false positive rule	2017-09-27 16:34:24 +02:00
Florian Roth	558c99efc0	Invoke-Metasploit	2017-09-24 10:22:19 +02:00
Florian Roth	5226344c35	Sharpire	2017-09-24 10:22:09 +02:00
Florian Roth	dde5dd8bce	Webshell Alfa Shell	2017-09-22 08:44:03 +02:00
Florian Roth	b0e79303e0	False Positive Reduction	2017-09-21 08:36:25 +02:00
Florian Roth	bf93fe559b	Improved Exploits CVE-2017-8759	2017-09-16 08:34:51 +02:00
Florian Roth	a2f765d1da	Corrected wording	2017-09-15 20:25:23 +02:00
Florian Roth	cb99556460	Exploits CVE-2017-8759	2017-09-15 20:23:51 +02:00
Florian Roth	244a922e70	False Positive Reduction	2017-09-15 11:30:03 +02:00
Florian Roth	81fc855b66	False Positive Reduction	2017-09-13 10:45:55 +02:00
Florian Roth	ae5e596f68	DragonFly APT	2017-09-12 08:22:07 +02:00
Florian Roth	2466c47263	PowerShell Case Anomalies	2017-09-12 00:19:38 +02:00
Florian Roth	5206ded7d1	False Positive Reduction	2017-09-12 00:19:09 +02:00
Florian Roth	da83b52200	Rehashed RAT	2017-09-10 00:29:29 +02:00
Florian Roth	85e98c2c1f	Monsoon APT	2017-09-10 00:29:17 +02:00
Florian Roth	89e8fd8fcb	Revenge RAT	2017-09-05 10:42:59 +02:00
Florian Roth	40d6afcc13	APT Turla Gazer https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/	2017-09-02 08:26:07 +02:00
Florian Roth	8077fe850d	KHRAT malware update with scripts	2017-09-01 09:12:45 +02:00
Florian Roth	e748094282	KHRAT	2017-08-31 22:20:17 +02:00
Florian Roth	d2f0457c9a	False Positive 'Tools_termsrv'	2017-08-31 22:19:14 +02:00
Florian Roth	c7dc0ceae4	APT12 Malware	2017-08-30 20:19:40 +02:00
Florian Roth	c387cbecf7	Reduced false positives	2017-08-30 20:19:25 +02:00
Florian Roth	d3a90dfd17	Improved certutil rule	2017-08-30 20:19:09 +02:00
Florian Roth	76ebe6c67b	Suspicious JS Run	2017-08-30 20:18:55 +02:00
Florian Roth	4c6377ae9a	Changed tabs to spaces	2017-08-30 20:11:15 +02:00
Florian Roth	194e8b9d74	thor-hacktools.yar - some cherry picked rules	2017-08-30 20:11:00 +02:00
Florian Roth	9c5b1b1863	Malware used in South Korean campaign https://twitter.com/eyalsela/status/900248754091167744	2017-08-23 13:21:56 +02:00
Florian Roth	2169ca69dc	ShadowPad new Imphash	2017-08-23 13:21:21 +02:00
Florian Roth	cec8e3db5f	Suspicious script running from http/https	2017-08-23 13:21:09 +02:00
Florian Roth	d7e3185df4	Tick Datper http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html	2017-08-21 17:20:01 +02:00
Florian Roth	43d129b336	PowerShdll	2017-08-21 15:03:29 +02:00
Florian Roth	737943f40c	More reflective DLL loaders	2017-08-20 12:06:08 +02:00
Florian Roth	c59a0b1e80	CHAOS Payload	2017-08-18 00:58:33 +02:00
Florian Roth	64e17301ae	ShadowPad malicious nssock2.dll https://securelist.com/shadowpad-in-corporate-networks/81432/	2017-08-15 21:12:57 +02:00
Florian Roth	b0be3141d8	Adjusted build options in make file to yara-python, rule renamed	2017-08-15 20:30:28 +02:00
Florian Roth	2444eb6d8f	Pupy RAT Generic Rule	2017-08-12 21:48:18 +02:00
Florian Roth	f57c5e56ec	Cobalt Strike CN group dropper, CobaltGang malware	2017-08-12 09:08:32 +02:00
Florian Roth	3be35fc5ba	Improved ReflectiveLoader rule	2017-08-12 09:04:42 +02:00
Florian Roth	2091087567	Updated hacktool producers	2017-08-11 16:47:20 +02:00
Florian Roth	f3961c6c2c	Disabled rule using feature that isn't available in prebuild YARA 3.5.0	2017-08-11 16:00:29 +02:00
Florian Roth	1ae31addcb	CVE-2017-9800 exploit	2017-08-11 14:03:24 +02:00
Florian Roth	c9a80a958c	False Positive Reduction	2017-08-07 17:57:35 +02:00
Florian Roth	e89c558936	Agent.BTZ http://www.intezer.com/new-variants-of-agent-btz-comrat-found/	2017-08-07 15:16:22 +02:00
Florian Roth	d85c1108ef	Impacket Generic Rule	2017-08-07 14:52:45 +02:00
Florian Roth	28e5995c27	FIN7 Backdoor https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor	2017-08-07 14:32:33 +02:00
Florian Roth	d85a7422a9	False Positive Reduction	2017-08-07 12:47:13 +02:00
Florian Roth	d4d10331a9	Zeus Panda	2017-08-05 14:54:13 +02:00
Florian Roth	c62209983b	Foudre Malware (Infy) https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/	2017-08-02 08:43:10 +02:00
Florian Roth	6243ca31f6	avdapp.dll False Positive	2017-08-01 16:21:57 +02:00
Florian Roth	ba25f2e452	Malware Unspecified	2017-08-01 14:01:53 +02:00
Florian Roth	6f7c4d9459	CactusTorch Rule	2017-07-31 14:52:02 +02:00
Florian Roth	7917b639bf	Improved ReflectiveLoader Rule	2017-07-31 14:51:46 +02:00
Florian Roth	1a062a5f18	False Positive Reduction	2017-07-30 11:54:03 +02:00
Florian Roth	3d52e22109	AllTheThings	2017-07-29 13:35:07 +02:00
Florian Roth	5e8d5add05	PowerShell Empire Mods Eval	2017-07-29 13:34:49 +02:00
Florian Roth	4c5e50e9f1	MyWScript Dropper	2017-07-29 13:34:37 +02:00
Florian Roth	a8f6bb60f1	False Positive Reduction	2017-07-29 13:34:21 +02:00
Florian Roth	ffed1820f5	Reflective Loader rule extended	2017-07-26 03:59:31 +02:00
Florian Roth	c5b5414fd6	Wilted Tulip YARA Signatures	2017-07-25 15:24:20 +02:00
Florian Roth	2e6351ca48	Removed duplicate Invoke-Mimikatz	2017-07-23 10:15:49 -06:00
Florian Roth	f8447db7e9	Invoke Mimikatz and Kekeo update	2017-07-22 07:57:58 -06:00
Florian Roth	05ee5af114	Bugfix in Rule	2017-07-20 12:27:16 -06:00
Florian Roth	1f0cad89f1	Bugfixes and False Positive Reduction	2017-07-20 12:24:49 -06:00
Florian Roth	f349e2df17	PS AMSI Bypass, JS Obfuscation/Dropbox, MSHTA Bypass	2017-07-19 19:50:59 -06:00
Florian Roth	b98ad7989d	Renamed rule	2017-07-19 19:50:26 -06:00
Florian Roth	0e05adc80d	Exploit code CVE-2015-2545	2017-07-19 19:47:39 -06:00
Florian Roth	990e20e3b6	Mimikatz Rules synct, SecurityXploded rule	2017-07-19 19:09:25 -06:00
Florian Roth	a5c774788c	POSHSPY malware	2017-07-19 11:40:16 -06:00
Florian Roth	bfd2d404dc	Merge pull request #17 from wesdawg/patch-1 WildNeutron False Positive Fix	2017-07-19 10:18:24 -06:00
Florian Roth	b4b45111a8	Unspecified Malware Jul17 2C	2017-07-19 10:17:25 -06:00
Florian Roth	2ee1f0fae8	LSASS Dump only if not filename starts with WER	2017-07-19 10:17:00 -06:00
Florian Roth	9146e905b3	Identified unspecified malware as Sality	2017-07-19 10:16:32 -06:00
wesdawg	e657e23aed	Remove chickenkiller domain string chickenkiller is dynamic DNS, not WildNeutron specific.	2017-07-18 16:46:58 -04:00
Florian Roth	ccac0893d8	Disclosed Disclosed 0day POC set	2017-07-13 08:36:43 -06:00
Florian Roth	f55f9b5205	NCCGroups WinPayloads	2017-07-13 08:02:20 -06:00
Florian Roth	2b8f5e9249	False Positive Reduction	2017-07-13 08:00:52 -06:00
Florian Roth	90499b61d7	PAS Webshell	2017-07-11 13:38:38 -06:00
Florian Roth	58e79dbac1	Reconnaissance keywords in file	2017-07-10 18:08:55 -06:00
Florian Roth	01cd66cc84	Improved a suboptimal UAC elevation rule	2017-07-10 13:59:46 -06:00
Florian Roth	5665dfaad3	Executable with add user to local administrators command line	2017-07-09 14:07:50 -06:00
Florian Roth	4bebc275ec	ZXShell Rules - RSA Report	2017-07-09 14:07:20 -06:00
Florian Roth	1c123a0f67	MimiPenguin Update	2017-07-08 16:32:00 -06:00
Florian Roth	d2ae9c03d9	Winnti HDRoot samples	2017-07-08 13:08:38 -06:00
Florian Roth	e08390762d	Molerats July 2017	2017-07-08 10:35:11 -06:00
Florian Roth	cf43aa68d2	Added 3rd hash to TeleDoor backdoor rule	2017-07-05 14:00:14 -06:00
Florian Roth	859a183bfa	TeleDoor YARA Signature	2017-07-05 13:34:41 -06:00
Florian Roth	ca2c820f5c	Powershell in Word Doc	2017-07-01 14:35:23 +02:00
Florian Roth	366b9095fe	Malware / Bot / Andromeda Jun 17	2017-07-01 14:35:09 +02:00
Florian Roth	77299ec82d	Added hashes to rule	2017-06-28 08:34:56 +02:00
Florian Roth	6a256ba5c6	NotPetya Rule Update	2017-06-28 08:27:18 +02:00
Florian Roth	0d1125be4d	Yet another name refresh	2017-06-27 20:53:31 +02:00
Florian Roth	d2cb411ddc	NoPetya renamed	2017-06-27 20:37:21 +02:00
Florian Roth	f422b95ce3	NoPetya Ransomware	2017-06-27 20:35:25 +02:00
Florian Roth	61ce0b2d8f	Petya Ransomware	2017-06-27 17:42:57 +02:00
Florian Roth	701e306eb6	Reflective loader rule	2017-06-26 14:30:35 +02:00
Florian Roth	32a08da312	Bugfix in web shell rule	2017-06-26 14:18:30 +02:00
Florian Roth	203df010da	Wordpress Webshell	2017-06-26 08:07:29 +02:00
Florian Roth	e39ad5b411	Waterbear Malware	2017-06-24 08:53:52 +02:00
Florian Roth	7016ebb6ac	PowerShell Obfuscation - 1st rule for LOKI	2017-06-23 11:29:56 +02:00
Florian Roth	0f08853291	Crime CN Group BTC Miner and Ammyy Admin	2017-06-23 08:18:41 +02:00
Florian Roth	59a7d00307	Reference in HTA anomaly rules	2017-06-21 17:03:06 +02:00
Florian Roth	d5892fdbc6	HTA File Anomalies	2017-06-21 15:56:24 +02:00
Florian Roth	33c2a7fcc8	New Mimikatz Strings Rule	2017-06-21 15:56:06 +02:00
Florian Roth	91862d2006	False positive with KAV	2017-06-17 10:53:32 +02:00
Florian Roth	78c49917db	Invoke-TheHash	2017-06-14 21:46:43 +02:00
Florian Roth	024e26df96	Hidden Cobra IOCs and YARA Sigs	2017-06-14 09:16:23 +02:00
Florian Roth	9e830da305	Industroyer YARA Sigs	2017-06-14 09:05:54 +02:00
Florian Roth	b08898cbb2	Crash Override YARA Sigs https://t.co/h8QaIP4FU8	2017-06-12 19:49:08 +02:00
Florian Roth	32ec315e97	False Positive Reduction	2017-06-08 17:08:04 +02:00
Florian Roth	054a4f3061	Generic Credential Stealer	2017-06-07 16:21:24 +02:00
Florian Roth	0082d91da8	APT 19 - FireEye report https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html	2017-06-07 16:20:34 +02:00
Florian Roth	f4c725bb84	False Positive Reduction	2017-06-07 09:18:52 +02:00
Florian Roth	346b903485	Removed hacktoolset from rules	2017-06-06 23:21:29 +02:00
Florian Roth	ba81dfbebf	False Positive Reduction	2017-06-06 09:16:02 +02:00
Florian Roth	890c6f122b	FireEye - EternalBlue Non-Wannacry attack https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html	2017-06-04 17:00:14 +02:00
Florian Roth	8e5c129124	Renamed Rule	2017-06-03 14:36:07 +02:00
Florian Roth	d80a434473	Fireball Malware	2017-06-03 14:34:20 +02:00
Florian Roth	e0bb3b902e	TA459 Malware	2017-06-01 19:46:36 +02:00
Florian Roth	fc807db9ce	False Positives	2017-05-25 11:36:50 +02:00
Florian Roth	fec50df702	False Positives	2017-05-22 16:46:08 +02:00
Florian Roth	d8956eabe8	False Positives	2017-05-20 10:18:37 +02:00
Florian Roth	27ca4a3c23	EternalRocks	2017-05-18 08:51:29 +02:00
Florian Roth	9359eee461	Kaspersky's lazaruswannacry rule	2017-05-15 23:24:22 +02:00
Florian Roth	e65845f278	Malware Dropper - DOCM in PDF	2017-05-15 19:36:58 +02:00
Florian Roth	6b66ad72b8	Updated WannCry Ransomware Rule	2017-05-15 19:36:40 +02:00
Florian Roth	b519e7cc51	WannaCry - New Generic Rule	2017-05-14 16:13:18 +02:00
Florian Roth	629337be4e	Update on WannaCry Rules	2017-05-13 19:30:36 +02:00
Florian Roth	a8a3ec5348	Update on WannaCry Rules	2017-05-13 19:27:58 +02:00
Florian Roth	e785dcc509	Added WannaCry string for ZIP password	2017-05-13 11:27:40 +02:00
Florian Roth	3ce5d5a213	WannaCry YARA Rules	2017-05-13 10:05:08 +02:00
Florian Roth	4b9d80d4bd	Mirai Malware Update	2017-05-12 16:49:51 +02:00
Florian Roth	cbb45ab017	FP Hash DA5EE020BEF41DC95C3532CBAA1EA8F4	2017-05-12 15:48:50 +02:00
Florian Roth	b43cf3b185	Rule cleanup	2017-05-11 13:34:28 +02:00
Florian Roth	7522ec6f7e	Impacket Generic Rule FPs	2017-05-05 15:13:57 +02:00
Florian Roth	dd145e731a	ISMRAT	2017-05-04 12:22:58 +02:00
Florian Roth	0208aef709	Update on Snake/Turla - Shell scripts	2017-05-04 11:55:50 +02:00
Florian Roth	00b8270b65	Snake/Turla, FIN7, Kazuar	2017-05-04 11:28:03 +02:00
Florian Roth	66668ca36b	Enigma protected malware	2017-05-03 09:02:08 +02:00
Florian Roth	1365a6016b	EquationGroup FP	2017-05-03 09:01:57 +02:00
Florian Roth	adc742e6c3	US CERT Alert TA17-117A https://goo.gl/fZhL9H	2017-04-28 11:14:52 +02:00
Florian Roth	69c85e8d9f	False Positives	2017-04-28 10:32:36 +02:00
Florian Roth	225d917432	New rules for obfuscated samples	2017-04-22 13:54:08 +02:00
Florian Roth	7081f9926f	Updated DeepPanda rule	2017-04-22 13:53:46 +02:00
Florian Roth	9ef6409535	Removed Dumpel (Resource Kit Win 2000) False Positive	2017-04-19 13:55:49 +02:00
Florian Roth	addeab74bb	meta data hash identifier fixed, scanner output rule	2017-04-17 16:49:04 +02:00
Florian Roth	cfebd5ea39	New Equation Group Signatures	2017-04-17 11:18:41 +02:00
Florian Roth	f9d0882a35	Remove byte chain that is slowing down scanning	2017-04-13 09:52:27 +02:00
Florian Roth	b496ed91a6	Changed OLE2Link signature	2017-04-12 19:11:36 +02:00
Florian Roth	2245f5d7cb	Renamed - Crime > Exploit	2017-04-12 15:52:06 +02:00
Florian Roth	a431674976	OLE2Link Update with NVISIO rule	2017-04-12 15:50:29 +02:00
Florian Roth	629afa0835	RFT OLE2Link Exploit	2017-04-12 11:25:22 +02:00
Florian Roth	46568f0d03	Removed rule prone to false positives	2017-04-10 13:02:20 +02:00
Florian Roth	a9fc876114	False positive comment in EQGRP rules	2017-04-10 00:07:13 +02:00
Florian Roth	2592ea04b4	Equation Group Tools	2017-04-09 23:31:32 +02:00
Florian Roth	efe01ca941	Compiled Impacket Tools	2017-04-08 12:58:04 +02:00
Florian Roth	a0b8a9039e	Floxif Malware	2017-04-08 12:57:47 +02:00
Florian Roth	70dc674fc7	Improved Cloud Hopper Malware Sigs	2017-04-08 12:57:20 +02:00
Florian Roth	997da192a8	Quasar RAT	2017-04-07 20:41:00 +02:00
Jonas Lejon	716be0088c	C2 hosts/strings for APT10 / Cloud Hopper	2017-04-07 09:32:42 +02:00
Florian Roth	b1bb790655	ROKRAT	2017-04-05 11:23:44 +02:00
Florian Roth	68c999de89	Operation Cloud Hopper	2017-04-05 11:23:31 +02:00
Florian Roth	1c4c8df573	APT Moonlight Maze	2017-04-03 21:33:07 +02:00
Florian Roth	6316b06a35	Removed other rules from this set	2017-04-03 09:39:35 +02:00
Florian Roth	2815d65738	Mimipenguin	2017-04-01 11:56:35 +02:00
Florian Roth	3d505b74b3	Carbon - Turla - rules by ESET	2017-04-01 11:56:20 +02:00
Florian Roth	c1af41f3f9	False Positives https://github.com/Neo23x0/signature-base/issues/7	2017-03-28 08:32:20 +02:00
Florian Roth	a5be8e42f6	Osiris Device Guard Bypass	2017-03-27 09:39:43 +02:00
Florian Roth	46444066a6	WMI Implant PowerShell	2017-03-24 17:33:26 +01:00
Florian Roth	8734ab6680	Javascript obfuscated PowerShell (droppers)	2017-03-24 14:52:26 +01:00
Florian Roth	f90da1ff10	WPR and BeyondExec	2017-03-17 16:08:44 +01:00
Florian Roth	f39f51d234	Suspicious PowerShell Invocation	2017-03-12 17:06:18 +01:00
Florian Roth	9f96ed873e	Bugfix - non OpenSSL binaries	2017-03-09 18:09:15 +01:00
Florian Roth	8c0de6120e	Removed False Positives	2017-03-07 21:09:38 +01:00
Florian Roth	b73d07558a	Tiny JSP Webshell YARA Rule	2017-03-07 11:24:48 +01:00
Florian Roth	48a8a94196	StoneDrill Threat: YARA rules and filename IOCs	2017-03-07 11:24:27 +01:00
Florian Roth	8bf466a9ac	Kriskynote Malware	2017-03-04 14:38:35 +01:00
Florian Roth	ea2c46df32	Derusbi Samples	2017-03-04 14:38:20 +01:00
Florian Roth	db4465f417	New Simple PHP Webshell	2017-03-04 14:36:07 +01:00
Florian Roth	c64d284911	ChChes - Ham / Tofu Backdoors by Cylance	2017-02-28 14:05:19 +01:00
Florian Roth	a564860d0a	PowerShell Rule Bugfix	2017-02-23 17:42:26 +01:00
Florian Roth	8dc9ba46d5	Suspicious PowerShell Code	2017-02-23 17:13:04 +01:00
Florian Roth	a4544d7c2a	Op Magic Hound YARA Signatures http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/	2017-02-17 15:48:58 +01:00
Florian Roth	72f3c49d99	False positives with AV software DLLs (ESET)	2017-02-17 15:48:21 +01:00
Florian Roth	7d5227d20f	Removed WebShell_Generic_PHP_5 prone to false positives	2017-02-16 19:41:26 +01:00
Florian Roth	2cd4d7b422	Deactivated False Positives in Grizzly Steppe Rules - US CERT	2017-02-12 18:26:02 +01:00

... 3 4 5 6 7 ...

592 Commits