valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,168 Commits 2 Branches 1 Tag 33 MiB
3df4fa5fa4
Commit Graph

1168 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
a1fdaf91a5 Netsha rules 2020-03-25 20:37:59 +01:00
Florian Roth
436a365126 APT41 hash iocs 2020-03-25 16:30:24 +01:00
Florian Roth
4dc3dbd692 fix: renamed rules that could probably cause duplicate name errors 2020-03-25 16:30:12 +01:00
Florian Roth
be0caf471d WildPressure IOCs 2020-03-24 12:21:34 +01:00
Florian Roth
33790e4f11 More Filename IOCs 2020-03-24 12:21:23 +01:00
Florian Roth
9c4d01fd67 refactor: removed outdated OTX IOCs 2020-03-23 19:24:02 +01:00
Florian Roth
760a3865bf Suspicious XORed URL in EXE 2020-03-18 16:00:28 +01:00
Florian Roth
e17da8158e CVE-2020-1938 2020-02-28 23:43:30 +01:00
Florian Roth
17117a2dda Synced some filetype-signatures with THOR 2020-02-26 08:24:16 +01:00
Florian Roth
f004ef0270 CVE-2020-0688 Exchange static validation key 2020-02-26 08:17:38 +01:00
Florian Roth
b9c23013fb false positive reduction 2020-02-25 09:37:53 +01:00
Florian Roth
0dd47a87e5 Parallax RAT rules by @VK_Intel 2020-02-25 09:37:15 +01:00
Florian Roth
a91e1a8745 CarbonBlack Winnti rules 2020-02-25 09:36:55 +01:00
Florian Roth
5a04c92856 fix: false positive reduction 2020-02-13 09:18:18 +01:00
Florian Roth
24db0fe709 fix: FPs with gen_malware_MacOS_plist_suspicious 2020-02-07 16:56:23 +01:00
Florian Roth
a4e2f23c82 Winnti loader rule by Vitali Kremez 2020-02-02 09:02:14 +01:00
Florian Roth
90c2377fdc Improved PowerShell rule 2020-01-29 15:52:52 +01:00
Florian Roth
72a737becd Suspicious FromBase64String Base64 Rule 2020-01-29 15:06:31 +01:00
Florian Roth
2aa792dc3a New Emotet rule 2020-01-29 15:06:06 +01:00
Florian Roth
434b102c1f fix: imphash not necessary 2020-01-24 15:33:57 +01:00
Florian Roth
feaf3a6cc2 rule: renamed certutil 2020-01-24 15:25:06 +01:00
Florian Roth
01c489674c fix: false positive reduction 2020-01-21 18:07:30 +01:00
Florian Roth
70a865f54e APT RoyalRoad RTF signatures 2020-01-21 18:07:18 +01:00
Florian Roth
c0a9bfae7b JhoneRAT Hash IOCs 2020-01-21 18:06:59 +01:00
Florian Roth
f294fa3b89 improved shitrix rule : nocase 
https://twitter.com/ItsReallyNick/status/1217308463174496256
 2020-01-15 09:15:12 +01:00
Florian Roth
2028be6db3 fix: fixed typo in NSC 2020-01-14 15:08:03 +01:00
Florian Roth
7863689d6a fix: fixed rule 2020-01-13 18:39:59 +01:00
Florian Roth
9ae5a24c4c change 2 YARA rule based on Will's comments 
https://twitter.com/wdormann/status/1216752426902003713
 2020-01-13 17:55:38 +01:00
Florian Roth
07899ff599 change YARA rule based on Will's comments 
https://twitter.com/wdormann/status/1216752426902003713
 2020-01-13 17:09:30 +01:00
Florian Roth
f6eb34c732 Updated Shitrix rule 2020-01-13 13:07:08 +01:00
Florian Roth
13eede12b8 Exploit payloads Shitrix 2020-01-13 12:50:40 +01:00
Florian Roth
ffc4871f36 Dustman ME attack 2020-01-09 16:30:04 +01:00
Florian Roth
bbdcaaa3c3 fix: webshell FP reduction 2020-01-09 16:29:56 +01:00
Florian Roth
087afc84b6 BRONZE PRESIDENT Hash IOCs 2019-12-31 10:58:59 +01:00
Florian Roth
bd87dad4e4 BRONZE PRESIDENT filename IOCs 2019-12-31 10:57:28 +01:00
Florian Roth
5a6fcb8045 Suspiciously small VHD files 2019-12-21 22:11:20 +01:00
Florian Roth
93daa55f21 Operation Wocao 2019-12-20 15:27:41 +01:00
Florian Roth
e666d752cc
Merge pull request #85 from JohnLaTwC/patch-14 
Update gen_python_pyminifier_encoded_payload.yar
 2019-12-20 08:24:03 +01:00
John Lambert
8a2087a78e
Update gen_python_pyminifier_encoded_payload.yar 
tweak rule slightly to catch more cases:
15d201152a9465497a0f9dd6939e48315b358702c5e2a3c506ad436bb8816da7
5c5c1b5c6a5d7eff3941040321fde425eca612e870bba553f22ae5f9a2bd3318
d5664c70f3543f306f765ea35e22829dbea66aec729e8e11edea9806d0255b7e
 2019-12-17 08:56:15 -08:00
Florian Roth
f30673e0e4
Merge pull request #84 from JohnLaTwC/patch-13 
Create gen_python_pyminifier_encoded_payload.yar
 2019-12-17 11:21:58 +01:00
John Lambert
b89f901688
Create gen_python_pyminifier_encoded_payload.yar 
Detects encoded python files generated by pyminifier. Seen in Machete APT attacks as well as other malware on VT. Retrohunt results were all true positives:
3eedd8b8369c03c5a117aa97b4d88b0e680e6d7d39b7efa8d32913d83b39f32d
6e61fbf30f7197b8a9feaf84d5bf9c2b9232a5e110d07d7519c3dc4a92de6aee
de111af09137c0c11253d4a01bf7c6c1e082568f2d07dfa7ddecd4a7bff75788
b67256906d976aafb6071d23d1b3f59a1696f26b25ff4713b9342d41e656dfba
d5664c70f3543f306f765ea35e22829dbea66aec729e8e11edea9806d0255b7e
ed76bd136f40a23aeffe0aba02f13b9fea3428c19b715aafa6ea9be91e4006ca
15d201152a9465497a0f9dd6939e48315b358702c5e2a3c506ad436bb8816da7
dd2b0e2c2cb8a83574248bda54ce472899b22eb602e8ebecafcce2c4355177fe
01df8765ea35db382d1dd67a502bf1d9647d8fe818ec31abff41c7e41c2816c0
a961c6d9aa49eda3969f9b601aca65506369e6d0db9acb848e477477abbf6497
b454179c13cb4727ae06cc9cd126c3379e2aded5c293af0234ac3312bf9bdad2
5c5c1b5c6a5d7eff3941040321fde425eca612e870bba553f22ae5f9a2bd3318
 2019-12-16 19:03:37 -08:00
Florian Roth
ead76e2f59 Rule RAR exfiltration 2019-12-16 18:17:20 +01:00
Florian Roth
a76d1ad79d Suspicious RAR Ntds.dit content 2019-12-16 18:00:48 +01:00
Florian Roth
a1270fb1f1 Improved description 2019-12-12 18:23:33 +01:00
Florian Roth
947fb3e810 GALLIUM Hash IOCs 2019-12-12 18:23:25 +01:00
Florian Roth
6a559d885f fix: fixed condition in cloaking rule 2019-12-09 13:27:52 +01:00
Florian Roth
086e006463 THOR filename IOCs donation 2019-12-09 08:56:33 +01:00
Florian Roth
04d342e1be DePriMon hash IOCs 2019-12-09 08:54:03 +01:00
Florian Roth
c7008bf1d4 False Positive Reduction 2019-12-09 08:53:51 +01:00
Florian Roth
c79b56af68 Winnti YARA rules 2019-12-09 08:53:35 +01:00