valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
878 Commits 2 Branches 1 Tag 33 MiB
3fa7540094
Commit Graph

662 Commits

Author SHA1 Message Date
Jeff Beley
3fa7540094 Added rules for a tiny webshell and a go based htran variant 2019-01-16 10:58:25 -06:00
Florian Roth
32182ab8ff Nitol Malware 2019-01-14 11:20:18 +01:00
Florian Roth
6d0e6bc997
Update gen_bad_pdf.yar 2019-01-10 11:28:31 +01:00
Clément Notin
a61ab94eff
gen_bad_pdf.yar: fix detection of Metasploit generated files 2019-01-10 10:49:55 +01:00
John Lambert
0de78e6654
Create gen_macro_ShellExecute_action.yar 
Rule finds VBA macro samples that use the ShellExecute "evasion" method specified in the tweet mentioned in the rule.
 2019-01-08 12:22:19 -08:00
Florian Roth
4349f58d37 Score adjustments 2019-01-08 09:18:54 +01:00
Florian Roth
9a0e7a44fb Cryp RAT 2019-01-08 09:18:45 +01:00
Florian Roth
7216c088b0 JAVA class with VBS content 2019-01-07 13:28:06 +01:00
Florian Roth
6d9577a703 Putty anormal file sizes 2019-01-07 13:27:31 +01:00
Florian Roth
03f109c14e Improved script obfuscation rule 2019-01-03 11:04:14 +01:00
Florian Roth
9eec73061a APT28 Zebrocy Golang Loader by @VK_Intel 
https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html
 2019-01-02 09:19:09 +01:00
Florian Roth
d26a5045d9 Ryuk Ransomware 2018-12-31 14:56:56 +01:00
Florian Roth
2fb2bd2481 fix: removed duplicate rule 2018-12-29 17:00:19 +01:00
Florian Roth
b6920c0d0c Moved NK miner to generic list 2018-12-29 09:31:57 +01:00
Florian Roth
82a91c8d6c Update on crypto coin miner 2018-12-29 09:31:14 +01:00
Florian Roth
819c4f2ac5 fix: missing "pe" import 2018-12-29 09:20:24 +01:00
Florian Roth
0b96d7131d APT10 rule update with imphash rule 2018-12-29 09:17:56 +01:00
Florian Roth
900796dcdf Hacktool NoPowerShell 2018-12-28 14:57:03 +01:00
Florian Roth
046b5736d0 YARA rule description cleanup 2018-12-28 12:38:31 +01:00
Florian Roth
cf85a7cd31 YARA rule svchosts 2018-12-22 09:12:34 +01:00
Florian Roth
72eaa194ae Area1 Phishing Diplomacy Rules 2018-12-19 19:17:51 +01:00
Florian Roth
f73324aa1a Minor adjustments in gen_malware_MacOS_plist_suspicious rule 2018-12-16 10:10:42 +01:00
John Lambert
bd8185482f
Detect suspicious MacOS launch agent config files 
plist files contain configuration for user-specific background jobs in OSX. Malware abuses this feature for persistence. Coin miners have been seen to use this feature as well.
 2018-12-14 13:55:31 -08:00
Florian Roth
13b238f39f Fixed character formatting to wide in SUSP_Scheduled_Task_BigSize 2018-12-14 08:58:10 +01:00
Florian Roth
1b959e2a3b False Positives on Exchange with SUSP_Scheduled_Task_BigSize 2018-12-14 08:55:48 +01:00
Florian Roth
e4dd8c610c Fixed some dates 2018-12-14 08:55:27 +01:00
Florian Roth
e118b0c92e Rule: Powershell Obfuscation 2018-12-13 14:25:01 +01:00
Florian Roth
826446a785 Low scoring rule: Anomaly - Linux UPX compressed binaries 2018-12-13 14:24:41 +01:00
Florian Roth
ab5ac55a1b New HawkEye keylogger rule 2018-12-12 09:24:12 +01:00
Florian Roth
a22874af46 Lazagne Password Dumper 2018-12-11 15:12:42 +01:00
Florian Roth
80a090685d False Positive Reduction and Cleanup 2018-12-11 15:08:39 +01:00
Florian Roth
9d38c8f4b3 Suspicious Scheduled Task BigSize 2018-12-07 08:20:44 +01:00
Florian Roth
2ed2af38f8 Suspicious Pirated Office 2007 2018-12-07 08:20:31 +01:00
Florian Roth
73bfc659da fix: bugfix in SSHDoor rule - missing "and" 2018-12-05 21:03:24 +01:00
Florian Roth
a2c2478527 Limited SSHDoor rule to ELF to avoid false positives 2018-12-05 21:00:25 +01:00
Florian Roth
63010d1954 Linux/SSHDoor - Triton related by ESET - modified version 
https://github.com/eset/malware-ioc/tree/master/sshdoor
 2018-12-05 20:58:02 +01:00
Florian Roth
0a3567621b fix: bugfix in generic_anomalies rule 2018-12-01 13:32:26 +01:00
Florian Roth
9291c8c9a1 fix: bugfix in general_anomalies.yar rule 2018-12-01 13:02:18 +01:00
Florian Roth
8cd247169a False Positive Reduction 2018-12-01 08:33:33 +01:00
Florian Roth
3d1088575d DNSPIONAGE 
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
 2018-12-01 08:33:20 +01:00
Florian Roth
db9ea97d62 fix: missing pe import 2018-11-23 08:38:19 +01:00
Florian Roth
8a22d4d403 Removed duplicate rules 2018-11-23 08:33:07 +01:00
Florian Roth
9d1848627d Removed duplicate rules 2018-11-23 08:32:57 +01:00
Florian Roth
0f6acf4674 Turla PNG dropper 
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
 2018-11-23 08:32:10 +01:00
Florian Roth
16e70f3d2e APT28 Cannon Trojan 2018-11-21 21:29:31 +01:00
Florian Roth
79f9a0fb4c Suspicious Office Droppers 2018-11-21 11:18:05 +01:00
Florian Roth
1b0fc045a4 Added David to the authors 2018-11-15 17:25:58 +01:00
Florian Roth
c6c86e7eca Nick's rule for Base64 encoded PS1 shellcode 2018-11-15 15:12:30 +01:00
Florian Roth
5e0adc108b Added LOKI / SPARK specific rule to thor's inverse set 2018-11-15 09:23:01 +01:00
Florian Roth
427c221d42 Suspicious renamed Dot1Xtray rule DLL-Sideloading 2018-11-15 09:21:21 +01:00