valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
481 Commits 2 Branches 1 Tag 33 MiB
49ce0546e9
Commit Graph

481 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
49ce0546e9 APT Sofacy Hospitality report malware by CSECybsec 
http://csecybsec.com/download/zlab/APT28_Hospitality_Malware_report.pdf
 2017-10-31 10:44:17 +01:00
Florian Roth
c83cf1a6ed Improved DDE in Office documents rules by NVISO Labs 2017-10-25 23:44:30 +02:00
Florian Roth
85c8608499 False Positive Reduction 2017-10-25 23:43:56 +02:00
Florian Roth
957ac24585 BadRabbit ransomware 2017-10-25 08:57:00 +02:00
Florian Roth
04825e634c Sofacy Campaign IOCs 2017-10-23 19:10:44 +02:00
Florian Roth
e2e253c2f2 APT28 / Sofacy malware 
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
 2017-10-23 16:56:32 +02:00
Florian Roth
b542e0635c Cleanup 2017-10-23 16:54:53 +02:00
Florian Roth
81e2977704 False Positive Reduction 2017-10-23 16:54:34 +02:00
Florian Roth
3947d5adfd Changed wording after quality checks 2017-10-21 19:56:50 +02:00
Florian Roth
bce45632c9 US-CERT TA17-293A - modified YARA rule set 
https://www.us-cert.gov/ncas/alerts/TA17-293A
 2017-10-21 19:53:02 +02:00
Florian Roth
c9a9932b7b Bad Patch report YARA signatures 
https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/
 2017-10-21 16:27:18 +02:00
Florian Roth
4755027693 US-CERT TA17-293A - Part 1 - Filename, Hash, C2 IOCs 
https://www.us-cert.gov/ncas/alerts/TA17-293A
 2017-10-21 16:26:07 +02:00
Florian Roth
7db1c95466 Added AirBnb / BinaryAlert YARA rules in new vendor directory 2017-10-20 11:21:49 +02:00
Florian Roth
43d5b1737f Bugfix in Puppy RAT rule 2017-10-20 09:54:59 +02:00
Florian Roth
cda2de3d94 HKDoor report IOCs 2017-10-19 12:01:37 +02:00
Florian Roth
bd33c27075 OilRig filename IOCs 2017-10-19 12:01:23 +02:00
Florian Roth
8e01421bc4 Leviathan APT - Maritime and Defense Targets 
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
 2017-10-19 09:34:07 +02:00
Florian Roth
75101b02ce Black Oasis IOCs 2017-10-19 09:30:40 +02:00
Florian Roth
32fe1a4906 OilRig YARA rules derived from PaloAltoNetwork reports Sep/Oct 17 2017-10-19 09:29:59 +02:00
Florian Roth
1f8312fad0 Replaced non-ASCII character 2017-10-19 01:17:59 +02:00
Florian Roth
8da0b76701 False Positive Reduction - apply to files only (not memory) 2017-10-18 21:58:57 +02:00
Florian Roth
6f3e4bd79c Activate pe.imphash() expressions in my rules 2017-10-18 21:58:30 +02:00
Florian Roth
2ffd97c1d9 HKDoor Rules by Cylance Inc. 
https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html
 2017-10-18 21:57:37 +02:00
Florian Roth
ae643f78d9 FEIB Report - by BEA systems 
https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html
 2017-10-17 08:31:59 +02:00
Florian Roth
8c994452c4 Improved Reflective Loaders Rule 2017-10-15 10:53:06 +02:00
Florian Roth
04b278d87b Bronze Butler malware 
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
 2017-10-15 10:52:49 +02:00
Florian Roth
568aa89d4f PowerShell Casing Anomaly Adjustments 2017-10-14 23:00:13 +02:00
Florian Roth
3f27b85df6 False Positive Reduction 2017-10-14 12:59:00 +02:00
Florian Roth
430b1b88a2 Saudi Aramco Phishing campaign malware 2017-10-12 09:15:20 +02:00
Florian Roth
96d9ba4858 Results for the DDEAUTO rules are much better 2017-10-11 20:58:16 +02:00
Florian Roth
d3f19e9bf4 Too many false positives 2017-10-11 20:46:16 +02:00
Florian Roth
dca5a3dcf7 Missing PE module imports, minor changes 2017-10-11 18:43:19 +02:00
Florian Roth
ae9f920a2a Reduced score due to possible false positives 2017-10-11 16:21:43 +02:00
Florian Roth
364da99da5 Decting DDE in Office Docs - Sigs by NVISO Labs 
https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
 2017-10-11 14:10:38 +02:00
Florian Roth
d4f661decc False Positive Reduction 2017-10-11 10:57:01 +02:00
Florian Roth
adf95a4396 Combined PS Anomaly rules to a single rule 2017-10-11 10:37:33 +02:00
Florian Roth
30f2d84d53 PS Anomaly - New version missed other positives / including both versions 2017-10-11 10:13:10 +02:00
Florian Roth
12ea6bc9bf Backdoor Snarasite 2017-10-08 00:14:03 +02:00
Florian Roth
3aad0049ec Backdoor Banker Corkow 
https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf
 2017-10-08 00:13:52 +02:00
Florian Roth
5c889db4a9 FreeMilk YARA rules bugfix - thx to M. Selck 2017-10-06 23:54:13 +02:00
Florian Roth
97c97a803c Uncommon size adjustments for new Win10 files 2017-10-06 10:19:51 +02:00
Florian Roth
dbec537768 FreeMilk APT - Palo Alto Networks Report 
https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/
 2017-10-05 20:42:55 +02:00
Florian Roth
3e7c48c5ee Fixed regular expressions in filename IOCs 2017-10-05 16:06:46 +02:00
Florian Roth
3560d720f7 URL file pointing to local EXE 2017-10-04 14:42:34 +02:00
Florian Roth
f44c9b9fcb PowerShell improved casing anomaly rule, WScript anomaly rule 2017-10-03 19:36:54 +02:00
Florian Roth
354ea043bb Hacktool RedSails 
https://github.com/BeetleChunks/redsails
 2017-10-03 19:36:17 +02:00
Florian Roth
3ea15953b9 WinDivert Driver - PUA: User mode packet capturing driver 2017-10-03 19:35:49 +02:00
Florian Roth
2b6cc72f64 CMSTAR Malware 
https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/
 2017-10-03 19:35:15 +02:00
Florian Roth
8574935d17 APT17 Malware September 2017 
http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/
 2017-10-03 19:34:53 +02:00
Florian Roth
1d8093a9de New suspicious PowerShell scripts 2017-10-01 00:24:31 +02:00