Commit Graph

448 Commits

Author SHA1 Message Date
Florian Roth
364da99da5 Decting DDE in Office Docs - Sigs by NVISO Labs
https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
2017-10-11 14:10:38 +02:00
Florian Roth
d4f661decc False Positive Reduction 2017-10-11 10:57:01 +02:00
Florian Roth
adf95a4396 Combined PS Anomaly rules to a single rule 2017-10-11 10:37:33 +02:00
Florian Roth
30f2d84d53 PS Anomaly - New version missed other positives / including both versions 2017-10-11 10:13:10 +02:00
Florian Roth
12ea6bc9bf Backdoor Snarasite 2017-10-08 00:14:03 +02:00
Florian Roth
3aad0049ec Backdoor Banker Corkow
https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf
2017-10-08 00:13:52 +02:00
Florian Roth
5c889db4a9 FreeMilk YARA rules bugfix - thx to M. Selck 2017-10-06 23:54:13 +02:00
Florian Roth
97c97a803c Uncommon size adjustments for new Win10 files 2017-10-06 10:19:51 +02:00
Florian Roth
dbec537768 FreeMilk APT - Palo Alto Networks Report
https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/
2017-10-05 20:42:55 +02:00
Florian Roth
3e7c48c5ee Fixed regular expressions in filename IOCs 2017-10-05 16:06:46 +02:00
Florian Roth
3560d720f7 URL file pointing to local EXE 2017-10-04 14:42:34 +02:00
Florian Roth
f44c9b9fcb PowerShell improved casing anomaly rule, WScript anomaly rule 2017-10-03 19:36:54 +02:00
Florian Roth
354ea043bb Hacktool RedSails
https://github.com/BeetleChunks/redsails
2017-10-03 19:36:17 +02:00
Florian Roth
3ea15953b9 WinDivert Driver - PUA: User mode packet capturing driver 2017-10-03 19:35:49 +02:00
Florian Roth
2b6cc72f64 CMSTAR Malware
https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/
2017-10-03 19:35:15 +02:00
Florian Roth
8574935d17 APT17 Malware September 2017
http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/
2017-10-03 19:34:53 +02:00
Florian Roth
1d8093a9de New suspicious PowerShell scripts 2017-10-01 00:24:31 +02:00
Florian Roth
8b3a138995 Minor changes to rule FP exclusions 2017-09-29 08:47:22 +02:00
Florian Roth
f15d1fef2a Xtreme RAT Sigs 2017-09-29 08:46:42 +02:00
Florian Roth
ae82dd03a8 False Positive Reduction 2017-09-27 16:35:14 +02:00
Florian Roth
c5737c7c37 Microcin YARA rules
derived from samples in report https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf
2017-09-27 16:34:34 +02:00
Florian Roth
78ff581ede Removed false positive rule 2017-09-27 16:34:24 +02:00
Florian Roth
558c99efc0 Invoke-Metasploit 2017-09-24 10:22:19 +02:00
Florian Roth
5226344c35 Sharpire 2017-09-24 10:22:09 +02:00
Florian Roth
dde5dd8bce Webshell Alfa Shell 2017-09-22 08:44:03 +02:00
Florian Roth
b0e79303e0 False Positive Reduction 2017-09-21 08:36:25 +02:00
Florian Roth
6bd3d07baa More malicious CCleaner hashes 2017-09-18 16:20:17 +02:00
Florian Roth
4699b5d732 Malicious CCleaner versions 2017-09-18 15:56:08 +02:00
Florian Roth
ddefcaa510 Vulnerable Apache Struts versions by @DCSO_de @DCSO
https://github.com/DCSO/vulninfos/tree/master/ApacheStrutsVulnerabilities
2017-09-16 08:36:57 +02:00
Florian Roth
bf93fe559b Improved Exploits CVE-2017-8759 2017-09-16 08:34:51 +02:00
Florian Roth
a2f765d1da Corrected wording 2017-09-15 20:25:23 +02:00
Florian Roth
cb99556460 Exploits CVE-2017-8759 2017-09-15 20:23:51 +02:00
Florian Roth
3c08811c81 False Positive Reduction 2017-09-15 11:31:16 +02:00
Florian Roth
244a922e70 False Positive Reduction 2017-09-15 11:30:03 +02:00
Florian Roth
81fc855b66 False Positive Reduction 2017-09-13 10:45:55 +02:00
Florian Roth
ae5e596f68 DragonFly APT 2017-09-12 08:22:07 +02:00
Florian Roth
2466c47263 PowerShell Case Anomalies 2017-09-12 00:19:38 +02:00
Florian Roth
5206ded7d1 False Positive Reduction 2017-09-12 00:19:09 +02:00
Florian Roth
da83b52200 Rehashed RAT 2017-09-10 00:29:29 +02:00
Florian Roth
85e98c2c1f Monsoon APT 2017-09-10 00:29:17 +02:00
Florian Roth
89e8fd8fcb Revenge RAT 2017-09-05 10:42:59 +02:00
Florian Roth
40d6afcc13 APT Turla Gazer
https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
2017-09-02 08:26:07 +02:00
Florian Roth
8077fe850d KHRAT malware update with scripts 2017-09-01 09:12:45 +02:00
Florian Roth
e748094282 KHRAT 2017-08-31 22:20:17 +02:00
Florian Roth
d2f0457c9a False Positive 'Tools_termsrv' 2017-08-31 22:19:14 +02:00
Florian Roth
c7dc0ceae4 APT12 Malware 2017-08-30 20:19:40 +02:00
Florian Roth
c387cbecf7 Reduced false positives 2017-08-30 20:19:25 +02:00
Florian Roth
d3a90dfd17 Improved certutil rule 2017-08-30 20:19:09 +02:00
Florian Roth
76ebe6c67b Suspicious JS Run 2017-08-30 20:18:55 +02:00
Florian Roth
4c6377ae9a Changed tabs to spaces 2017-08-30 20:11:15 +02:00