valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 18:38:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
996 Commits 2 Branches 1 Tag 33 MiB
3a36eabb3f
Commit Graph

746 Commits

Author SHA1 Message Date
Florian Roth
0b96d7131d APT10 rule update with imphash rule 2018-12-29 09:17:56 +01:00
Florian Roth
900796dcdf Hacktool NoPowerShell 2018-12-28 14:57:03 +01:00
Florian Roth
046b5736d0 YARA rule description cleanup 2018-12-28 12:38:31 +01:00
Florian Roth
cf85a7cd31 YARA rule svchosts 2018-12-22 09:12:34 +01:00
Florian Roth
72eaa194ae Area1 Phishing Diplomacy Rules 2018-12-19 19:17:51 +01:00
Florian Roth
f73324aa1a Minor adjustments in gen_malware_MacOS_plist_suspicious rule 2018-12-16 10:10:42 +01:00
John Lambert
bd8185482f
Detect suspicious MacOS launch agent config files 
plist files contain configuration for user-specific background jobs in OSX. Malware abuses this feature for persistence. Coin miners have been seen to use this feature as well.
 2018-12-14 13:55:31 -08:00
Florian Roth
13b238f39f Fixed character formatting to wide in SUSP_Scheduled_Task_BigSize 2018-12-14 08:58:10 +01:00
Florian Roth
1b959e2a3b False Positives on Exchange with SUSP_Scheduled_Task_BigSize 2018-12-14 08:55:48 +01:00
Florian Roth
e4dd8c610c Fixed some dates 2018-12-14 08:55:27 +01:00
Florian Roth
e118b0c92e Rule: Powershell Obfuscation 2018-12-13 14:25:01 +01:00
Florian Roth
826446a785 Low scoring rule: Anomaly - Linux UPX compressed binaries 2018-12-13 14:24:41 +01:00
Florian Roth
ab5ac55a1b New HawkEye keylogger rule 2018-12-12 09:24:12 +01:00
Florian Roth
a22874af46 Lazagne Password Dumper 2018-12-11 15:12:42 +01:00
Florian Roth
80a090685d False Positive Reduction and Cleanup 2018-12-11 15:08:39 +01:00
Florian Roth
9d38c8f4b3 Suspicious Scheduled Task BigSize 2018-12-07 08:20:44 +01:00
Florian Roth
2ed2af38f8 Suspicious Pirated Office 2007 2018-12-07 08:20:31 +01:00
Florian Roth
73bfc659da fix: bugfix in SSHDoor rule - missing "and" 2018-12-05 21:03:24 +01:00
Florian Roth
a2c2478527 Limited SSHDoor rule to ELF to avoid false positives 2018-12-05 21:00:25 +01:00
Florian Roth
63010d1954 Linux/SSHDoor - Triton related by ESET - modified version 
https://github.com/eset/malware-ioc/tree/master/sshdoor
 2018-12-05 20:58:02 +01:00
Florian Roth
0a3567621b fix: bugfix in generic_anomalies rule 2018-12-01 13:32:26 +01:00
Florian Roth
9291c8c9a1 fix: bugfix in general_anomalies.yar rule 2018-12-01 13:02:18 +01:00
Florian Roth
8cd247169a False Positive Reduction 2018-12-01 08:33:33 +01:00
Florian Roth
3d1088575d DNSPIONAGE 
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
 2018-12-01 08:33:20 +01:00
Florian Roth
db9ea97d62 fix: missing pe import 2018-11-23 08:38:19 +01:00
Florian Roth
8a22d4d403 Removed duplicate rules 2018-11-23 08:33:07 +01:00
Florian Roth
9d1848627d Removed duplicate rules 2018-11-23 08:32:57 +01:00
Florian Roth
0f6acf4674 Turla PNG dropper 
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
 2018-11-23 08:32:10 +01:00
Florian Roth
16e70f3d2e APT28 Cannon Trojan 2018-11-21 21:29:31 +01:00
Florian Roth
79f9a0fb4c Suspicious Office Droppers 2018-11-21 11:18:05 +01:00
Florian Roth
1b0fc045a4 Added David to the authors 2018-11-15 17:25:58 +01:00
Florian Roth
c6c86e7eca Nick's rule for Base64 encoded PS1 shellcode 2018-11-15 15:12:30 +01:00
Florian Roth
5e0adc108b Added LOKI / SPARK specific rule to thor's inverse set 2018-11-15 09:23:01 +01:00
Florian Roth
427c221d42 Suspicious renamed Dot1Xtray rule DLL-Sideloading 2018-11-15 09:21:21 +01:00
Florian Roth
1dd9a238be JexBoss Webshells 2018-11-09 08:42:39 +01:00
Florian Roth
061e7bd3f5 Renamed DriveCrypt rule 2018-11-09 08:28:21 +01:00
Florian Roth
3dc1826e89 New JRAT rule 2018-11-09 08:28:05 +01:00
Florian Roth
860e9cd600 Backnet Open Source C# backdoor 2018-11-09 08:27:53 +01:00
Florian Roth
2ae56a9b21 JPCERT CobaltStrike beacon rule 2018-11-09 08:27:38 +01:00
Florian Roth
f0edb3c047 Suspicious size of ASUS tuning tool 2018-10-30 09:41:59 +01:00
Florian Roth
385c91446e Suspicious Win32dll string 2018-10-30 09:41:46 +01:00
Florian Roth
4e5c40cc93 Cobalt Gang Rule by PaloAltoNetwroks 
https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/
 2018-10-30 09:17:04 +01:00
Florian Roth
a364ab0cc7 Updated Mirai rules 2018-10-27 21:58:34 +02:00
Florian Roth
91ad6d20a4 Grey Energy 
https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/
 2018-10-22 00:40:07 +02:00
Florian Roth
2498a802eb jQuery File Upload Vulnerability 
https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/
 2018-10-19 09:07:37 +02:00
Florian Roth
f6fb2a2d22 Hacktool SqlMap update 2018-10-19 09:06:24 +02:00
Florian Roth
c8d3a207a8 False Positive Reduction 2018-10-19 09:06:10 +02:00
Florian Roth
a62eeef8ba Suspicious IEX PowerShell Combo 2018-10-10 16:30:50 +02:00
Florian Roth
ee33d93858 Suspicious String Obfuscation Concat 2018-10-10 16:30:32 +02:00
Florian Roth
ce17d9ab65 False Positive Reduction 2018-10-10 16:30:08 +02:00
Florian Roth
a7cbf7b9c7 Suspicious SFX running wscript.exe 2018-09-28 13:29:43 +02:00
Florian Roth
7dd457c5b3 Suspicious CMD Var expansion in Office Docs 2018-09-28 13:29:35 +02:00
Florian Roth
a907fd2210 False Positive Reduction 
https://github.com/Neo23x0/signature-base/issues/44
 2018-09-24 12:30:09 +02:00
Florian Roth
d6a2d00cb7 Xbash 
https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
 2018-09-20 07:38:08 +02:00
Florian Roth
265ad6fba8 Suspicious LNK files 2018-09-19 08:51:23 +02:00
Florian Roth
9412f650d8 Fix: tightened the SFX rule 2018-09-17 08:27:58 +02:00
Florian Roth
954bb96328 Anomaly: SFX with Microsoft Copyright 2018-09-17 08:21:16 +02:00
Florian Roth
f2984271d4 Generic rule: Suspicious office dropper strings 2018-09-14 00:24:44 +02:00
Florian Roth
3efa3f9648 BlackBone Driver Injector 2018-09-11 13:34:44 +02:00
Florian Roth
eed7fcdf4c False Positive Reduction 2018-09-11 13:34:14 +02:00
Florian Roth
1d3baf823b Fixed error in RC4 keys list 2018-08-26 20:16:40 +02:00
Florian Roth
7c8745c59e License notice on my own rules, removed rules with unclear/problematic licensing 2018-08-26 12:48:01 +02:00
Florian Roth
3281e6dc72 APT Lazarus Operation Applejeus YARA rules 2018-08-26 12:48:01 +02:00
Florian Roth
3fb661511c Modified mimikatz rule to exclude low performing expr 2018-08-26 12:48:01 +02:00
Florian Roth
4a1deff33c DriveCrypt exploits 2018-08-22 11:10:00 +02:00
Florian Roth
8ddab9bd5a False Positive Reduction https://github.com/Neo23x0/signature-base/issues/42 2018-08-22 11:09:39 +02:00
Florian Roth
5d4ed2203d fix: fixed typo in rule name 2018-08-21 11:09:06 +02:00
Florian Roth
e3d60d7899 Metasploit Framework UA 2018-08-21 10:59:12 +02:00
Florian Roth
a30f16f056 False Positive Reduction 2018-08-21 10:58:45 +02:00
Florian Roth
9020d1f005 More HiddenCobra rules 
https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
 2018-08-13 16:27:03 +02:00
Florian Roth
1ee9142dc5 Improved certificate payload rule 2018-08-02 15:47:42 +02:00
Florian Roth
62400d7324 fix: missing import "pe" statement 2018-08-02 12:20:24 +02:00
Florian Roth
5141e33893 YARA rules for sample in FireEye's FIN7 report 
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
 2018-08-02 12:15:01 +02:00
Florian Roth
1ba9e9f57f DarkHydrus YARA rules 2018-08-02 11:51:03 +02:00
Florian Roth
3e9a1a5579 Certificate Payloads 2018-08-02 11:50:29 +02:00
Florian Roth
9bdccc2360 Hacktools: BeRoot, PDF Embedded Mal Code 2018-07-27 13:25:10 +02:00
Florian Roth
0cd91f3afe FancyBear MacOS Agent 2018-07-16 11:44:59 -06:00
Florian Roth
1bea712d70 False Positive Reduction 2018-07-16 11:44:41 -06:00
Florian Roth
24a899602e fix: Added missing import statement for "pe" module 2018-07-14 08:06:35 -06:00
Florian Roth
af76f26aa3 Big Bang report by Check Point 
https://research.checkpoint.com/apt-attack-middle-east-big-bang/
 2018-07-14 07:58:52 -06:00
Florian Roth
e6d6825c94 Monero miner update 2018-07-06 16:07:00 -06:00
Florian Roth
c2634bfa23 APT Rancor 
https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/
 2018-06-27 07:57:03 +02:00
Florian Roth
4122386cba Limited Cloud Hopper Rule 2018-06-25 10:57:21 +02:00
Florian Roth
93f62d8300 Hacktool PowerSploit Dropper 2018-06-24 22:44:28 +02:00
Florian Roth
5f87e74c00 Tick Weaponized USB 2018-06-24 22:44:11 +02:00
Florian Roth
1c41cd5d16 APT Thrip 
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
 2018-06-22 00:01:47 +02:00
Florian Roth
04a5426a14 Minor changes and adjustments 2018-06-22 00:00:14 +02:00
Florian Roth
c835b3a58c PLEAD Downloader 2018-06-16 17:40:31 +02:00
Florian Roth
3b25bd8a05 AR18-165 YARA rules 2018-06-16 17:40:18 +02:00
Florian Roth
e53539d7e4 Turla Agent.BTZ 2018-06-16 17:39:25 +02:00
Florian Roth
edfdb48bdc Score adjusted 2018-06-13 13:37:06 +02:00
Florian Roth
6dd31e254c New MuddyWater signature 2018-06-13 13:34:58 +02:00
Florian Roth
4a4a94fc9c Rules prone to false positives on process memory to "file" only 2018-06-13 08:30:02 +02:00
Florian Roth
c42709fe0d BluenoroffPoS DLL 
http://blog.trex.re.kr/
 2018-06-08 21:12:24 +02:00
Florian Roth
be2315b3cf False Positive Reduction 2018-06-08 21:11:39 +02:00
Florian Roth
8f48aa959b APT Lazarus RAT & Dropper 
https://twitter.com/DrunkBinary/status/1002587521073721346
 2018-06-03 00:28:59 +02:00
Florian Roth
55aa4639d2 TA18-149A YARA signatures 
https://www.us-cert.gov/ncas/alerts/TA18-149A
 2018-06-01 09:25:27 +02:00
Florian Roth
077384492c Updated BadPDF rule 2018-05-29 14:22:41 +02:00
Florian Roth
3596fea85a False Positive Reduction 2018-05-24 16:12:52 +02:00
Florian Roth
c9296e7ca8 VPNFilter YARA rules 2018-05-24 16:12:37 +02:00
Florian Roth
ee986a7e7b Bugfix - missing "pe" 2018-05-20 19:41:00 +02:00
Florian Roth
9f3067d594 Floxif / FlyStudio malware 2018-05-20 18:49:45 +02:00
Florian Roth
0838bfff7d Hacktool ShellPop shells 2018-05-20 18:49:45 +02:00
Florian Roth
ae1bd7b7ea Suspicious LNK file with path traversal like relative path 2018-05-20 18:49:45 +02:00
Florian Roth
4671958b12 Suspicious LNK file with reference to AppData Roaming 2018-05-20 18:49:45 +02:00
Florian Roth
da89105ae5 Another Microsoft Copyright Anomaly 2018-05-20 18:49:45 +02:00
Florian Roth
a06dae24aa Renamed Rule 2018-05-20 18:49:45 +02:00
Florian Roth
642cc04bb0 False Positive Reduction 2018-05-20 18:49:45 +02:00
r00t0vi4
7e95136760
Update generic_anomalies.yar 
Replace external variable "filetype" with hex 0x4749463839 (GIF89). 
It's a simplifies rules. You are using external variable "filetype" only in this place.
 2018-05-07 15:17:14 +03:00
Florian Roth
c595b47958 Winnti Burning Umbrella 
https://401trg.pw/burning-umbrella/
 2018-05-05 11:43:11 +02:00
Florian Roth
1f58d867d4 Turla Signature 2018-05-04 00:30:10 +02:00
Florian Roth
08385bc71d Bad PDF 
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
 2018-05-03 16:02:46 +02:00
Florian Roth
defc966d74 Fancy Bear Lojack Double Agent Hashes & YARA rule 
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
 2018-05-02 10:41:35 +02:00
Florian Roth
cc376073cc APT10 Hogfish Redleaves 2018-05-02 08:04:26 +02:00
Florian Roth
bd26c9226e Lazagne PW Dumper 2018-05-01 21:18:10 +02:00
Florian Roth
2b122abd9b Another YARA rule for CVE-2017-11882 detection 2018-05-01 21:17:24 +02:00
Florian Roth
c2e12db40c HScan False Positive 2018-04-26 23:19:47 +02:00
Florian Roth
b396038d14 Process Injector Generic 2018-04-26 23:19:35 +02:00
Florian Roth
abdc494d13 False Positive Reduction 2018-04-26 23:19:13 +02:00
Florian Roth
78ce62d33f Sednit Delphi Downloader 
https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
 2018-04-26 23:18:46 +02:00
Florian Roth
f7da02c0f3 Kwampirs malware 
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
 2018-04-24 11:29:01 +02:00
Florian Roth
8d6d3b36ae GrandCrab malware 2018-04-24 11:22:46 +02:00
Florian Roth
8424575572
Merge pull request #33 from yt0ng/signature-base-yt0ng 
added winnti Mozilla Kingsoft Confusion in PE Metadata
 2018-04-16 08:11:03 +02:00
Florian Roth
06067a7399
Slightly modified - and QA tested 2018-04-16 07:58:13 +02:00
Florian Roth
a4ecbf4410 WebMonitor RAT 
https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/
 2018-04-16 07:51:01 +02:00
yt0ng
edb7390a48 added winnti Mozilla Kingsoft Confusion in PE Metadata 2018-04-15 09:46:48 +02:00
Florian Roth
70037ba67e PowerShell JAB rule 2018-04-14 11:56:12 +02:00
Florian Roth
e0245230c3 Renamed rule to avoid problems with updated LOKI versions 2018-04-14 11:55:57 +02:00
Florian Roth
615b9a117e Updated GIF cloaked webshell rule 2018-04-13 11:34:48 +02:00
Florian Roth
4ca62a2556 Turla Agent.BTZ 2018-04-12 19:42:29 +02:00
Florian Roth
5b2c2b58d9 Cosmetics 2018-04-11 23:51:43 +02:00
Florian Roth
f2f9956fbb New hacktool signatures 2018-04-11 23:51:43 +02:00
Florian Roth
c1b50600c1 Rule improvements 2018-04-11 23:51:43 +02:00
yt0ng
b6c6e60681 added Turla Kazuar RAT described by DrunkBinary 2018-04-09 14:22:36 +02:00
Florian Roth
da310446fe Generic PowerShell rule for code the uses Kernel32 / write remote process memory 2018-04-06 12:45:37 +02:00
Florian Roth
bb8fe2cdf4 Revised YARA sigs from NCSC report 
https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
 2018-04-06 12:45:37 +02:00
Florian Roth
68f98c8775 CVE-2014-4076 exploit code 2018-04-06 12:45:37 +02:00
Florian Roth
4e57b9f856 Renamed rule 2018-04-06 12:45:37 +02:00
Florian Roth
05f65d6592
Performance optimization 2018-04-03 15:30:23 +02:00
John Lambert
28bd891428
Update gen_unicorn_obfuscated_powershell.yar 
Tweak rule for optional paren
 2018-04-03 06:23:50 -07:00
John Lambert
30f914e71d
Update gen_unicorn_obfuscated_powershell.yar 
add support for alternative switches (i.e. -w and /w) and paren block on payload. Found in VT sample 1afb9795cb489abce39f685a420147a2875303a07c32bf7eec398125300a460b
 2018-04-03 06:17:48 -07:00
Florian Roth
4263292a16 Hidden Cobra Wiper 
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
 2018-03-28 19:57:12 +02:00
John Lambert
df49f01006
update for VT uploads that include the POST header 
came across submissions (7d5819a2ea62376e24f0dd3cf5466d97bbbf4f5f730eb9302307154b363967ea, 2a69e46094d0fef2b3ffcab73086c16a10b517f58e0c1f743ece4f246889962b) with a header such as:
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 90.147.64.54:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>...
 2018-03-28 05:31:01 -07:00
Florian Roth
2d4a023211 Updated Keyboy malware rules 2018-03-28 11:28:38 +02:00
Florian Roth
5a5268e3db Suspicious Keylogger / Backdoor PDB strings 2018-03-28 11:27:53 +02:00
Florian Roth
d89fda03fe Improved Impacket rules 2018-03-28 11:27:18 +02:00
Florian Roth
29dc390b2b OilRig / Chafer YARA Rules 
https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 2018-03-23 08:43:43 +01:00
Florian Roth
89eb1aaed2 Added .yar extension to weblogic exploit rule 2018-03-22 00:19:09 +01:00
Florian Roth
525bb2d361 False Positive Reduction 2018-03-22 00:17:41 +01:00
John Lambert
f6fef3e296
detect Oracle Weblogic exploit CVE-2017-10271 
Performed a retrohunt. 3 matches came back--all true positives:
20f5a6b4915d51c36b1e2fa77da7f75c44b07697b717ef733deba86d7c57b09a
376c2bc11d4c366ad4f6fecffc0bea8b195e680b4c52a48d85a8d3f9fab01c95
864e9d8904941fae90ddd10eb03d998f85707dc2faff80cba2e365a64e830e1d/subfile
 2018-03-21 14:06:07 -07:00