valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 10:28:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
996 Commits 2 Branches 1 Tag 33 MiB
3a36eabb3f
Commit Graph

746 Commits

Author SHA1 Message Date
Florian Roth
3a36eabb3f ATM malware rule 2019-07-17 22:10:59 +02:00
Florian Roth
e769a4e981 Nick Carr's modified IQY rule 2019-07-15 14:08:59 +02:00
John Lambert
dc8b24e87e
Create gen_suspicious_InPage_dropper.yar 
InPage file format exploit detection
 2019-07-03 07:08:49 -07:00
Florian Roth
5ceb00a0f6 AveMaria RAT 2019-07-02 20:29:33 +02:00
Florian Roth
815a59cc19 ZIP with .doc.lnk contents 2019-07-02 20:29:24 +02:00
Florian Roth
dbd1062b76 Suspicious VBA contents 2019-06-21 17:18:44 +02:00
Florian Roth
bfc6027482 XMRIG reference 2019-06-21 17:18:34 +02:00
Florian Roth
438a5c2fd7 Better MSI detection 2019-06-21 17:18:25 +02:00
Florian Roth
253371fef1 Some rule adjustments 2019-06-02 12:17:05 +02:00
Florian Roth
da7c9c5875 Nansh0u Crypto Miner Campaign 
https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
 2019-05-31 13:21:12 +02:00
Florian Roth
2e422bb5e8 Quasar RAT new rule 2019-05-28 09:49:22 +02:00
Florian Roth
3b2ef8f255 Linux Pnscan 2019-05-28 09:47:24 +02:00
Florian Roth
ba72f44b98 FPs in APT domains 2019-05-20 10:53:56 +02:00
Florian Roth
9f9f99ad69 Sofacy Indicators 2019-05-19 09:59:44 +02:00
Florian Roth
dbc720e5fe FPs 2019-05-17 15:41:52 +02:00
Florian Roth
6ff3452652 fixed two rules - FPs 2019-05-17 15:41:04 +02:00
Florian Roth
fb7a241b99 APT Winnti Linux 
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a
 2019-05-15 20:12:56 +02:00
Florian Roth
2bf7076ccb RobinHood Ransomware 2019-05-15 13:10:27 +02:00
Florian Roth
6091e5f1f5 docs: changed reference in rule 2019-04-29 19:09:17 +02:00
Florian Roth
94a921593a SUSP_Base64_Encoded_Hex_Encoded_Code 
https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
 2019-04-29 15:40:29 +02:00
Florian Roth
843340a1f6 One of the new BabyShark rules for KimJongRAT 
https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
 2019-04-28 11:46:24 +02:00
Florian Roth
4153962b3c InjectDLL keyword - low scoring rule 2019-04-28 11:44:58 +02:00
Florian Roth
aa10cc3e09 Gamaredon group SFX dropper 2019-04-24 20:35:51 +02:00
Florian Roth
853762d0f4 DNSpionage Karkoff malware 2019-04-24 14:29:41 +02:00
Florian Roth
faf86f38ee Suspicious DropperBackdoor keyword 2019-04-24 10:35:10 +02:00
Florian Roth
48c5533ee8 Suspicious Netsh PortProxy command 2019-04-24 10:34:59 +02:00
Florian Roth
89b893219f APT34 / OilRig PowerShell malware 
https://twitter.com/0xffff0800/status/1118406371165126656
 2019-04-17 13:52:03 +02:00
Florian Roth
b8451ac254 APT NK HiddenCobra HOPLIGHT 2019-04-14 18:07:07 +02:00
Florian Roth
6b51398f01 fix: deactivate rule due to missing support for md5() 2019-04-10 11:12:21 +02:00
Florian Roth
989a5fb54d Duqu 1_5, Flame2 Orchestrator, Stuxshop YARA 2019-04-09 08:47:58 +02:00
Florian Roth
ce4b185127 Ransomware Wadhrama 2019-04-07 20:20:11 +02:00
Florian Roth
c1e2b7bc11 Suspicious RAR with .pdf ext obfuscation 2019-04-06 15:18:59 +02:00
Florian Roth
88101050ff APT37 rule by Steve Miller 2019-04-06 15:18:28 +02:00
Florian Roth
4c9d93b316 False Positives with SysInternals_Tool_Anomaly 2019-04-02 15:57:33 +02:00
Florian Roth
4511fcdc46 Fixed date values 2019-04-01 16:29:36 +02:00
Florian Roth
4e7795e86b ATM Malware JavaDispCache by Frank Boldewin 
https://twitter.com/r3c0nst/status/1111254169623674882
 2019-03-28 14:25:44 +01:00
Florian Roth
aad4925d37 Improved TA17-293A rule by Kyle O'Meara 
https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html
 2019-03-26 11:41:00 +01:00
Florian Roth
c4b6c032f9 Operation ShadowHammer YARA rule 2019-03-25 18:37:42 +01:00
Florian Roth
3b15bd805b Improved LockerGoga rule (ransom note) 2019-03-19 16:53:29 +01:00
Florian Roth
d249f94c12 LockerGoga 
https://www.bleepingcomputer.com/news/security/lockergoga-ransomware-sends-norsk-hydro-into-manual-mode/
 2019-03-19 15:36:56 +01:00
Florian Roth
e9f0b5c239 False Positive Reduction 2019-03-19 15:36:34 +01:00
Florian Roth
9c1aff0963 False Positive Reduction 2019-03-08 10:13:00 +01:00
Florian Roth
0c1d02a6ef fix: fix in rule improvement 2019-03-02 17:14:36 +01:00
Florian Roth
78706dbe46 Reworked many rules based on YARA performance guidelines 
https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7
 2019-03-02 16:02:11 +01:00
Florian Roth
f3371f2cfd Obfuscated Batch Script 2019-03-01 08:30:35 +01:00
Florian Roth
9e051bd768 ATM malware dispenserXFS 2019-02-28 13:17:16 +01:00
Florian Roth
fe92bee246 FP: sublime package - recon commands 2019-02-26 11:46:00 +01:00
Florian Roth
cb46d0e0ba False Positive Reduction 2019-02-24 13:15:53 +01:00
Florian Roth
11bbd517f8 APT BabyShark rule 
https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
 2019-02-24 13:15:40 +01:00
Florian Roth
d0b1e17dec False Positive Reduction 2019-02-19 23:46:28 +01:00