Commit Graph

491 Commits

Author SHA1 Message Date
Florian Roth
55868b5eff False Positive Reduction 2017-11-08 18:39:40 +01:00
Florian Roth
5bd15e9651 Bronze Butler Daserf malware 2017-11-08 12:52:38 +01:00
Florian Roth
3795d702b3 CrunchRAT
https://github.com/t3ntman/CrunchRAT
2017-11-04 01:57:05 +01:00
Florian Roth
be700a3c42 PowerShell Obfuscated Invoke - PE Loader 2017-11-03 08:28:52 +01:00
Florian Roth
b6522edf1f KeyBoys malware
http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html
2017-11-03 08:28:16 +01:00
Florian Roth
b08dc91116 OTX IOCs Update Nov 17 2017-11-02 09:08:22 +01:00
Florian Roth
f33f0140eb Silence malware
https://securelist.com/the-silence/83009/
2017-11-02 09:07:58 +01:00
Florian Roth
6d85ad4e2e Missing "pe" module import in Kasper rule 2017-10-31 12:11:27 +01:00
Florian Roth
1e22089eee Missing "pe" module import in APT28 rule 2017-10-31 11:29:48 +01:00
Florian Roth
8ffdc4c43c Kasper malware update 2017-10-31 10:44:39 +01:00
Florian Roth
49ce0546e9 APT Sofacy Hospitality report malware by CSECybsec
http://csecybsec.com/download/zlab/APT28_Hospitality_Malware_report.pdf
2017-10-31 10:44:17 +01:00
Florian Roth
c83cf1a6ed Improved DDE in Office documents rules by NVISO Labs 2017-10-25 23:44:30 +02:00
Florian Roth
85c8608499 False Positive Reduction 2017-10-25 23:43:56 +02:00
Florian Roth
957ac24585 BadRabbit ransomware 2017-10-25 08:57:00 +02:00
Florian Roth
04825e634c Sofacy Campaign IOCs 2017-10-23 19:10:44 +02:00
Florian Roth
e2e253c2f2 APT28 / Sofacy malware
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
2017-10-23 16:56:32 +02:00
Florian Roth
b542e0635c Cleanup 2017-10-23 16:54:53 +02:00
Florian Roth
81e2977704 False Positive Reduction 2017-10-23 16:54:34 +02:00
Florian Roth
3947d5adfd Changed wording after quality checks 2017-10-21 19:56:50 +02:00
Florian Roth
bce45632c9 US-CERT TA17-293A - modified YARA rule set
https://www.us-cert.gov/ncas/alerts/TA17-293A
2017-10-21 19:53:02 +02:00
Florian Roth
c9a9932b7b Bad Patch report YARA signatures
https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/
2017-10-21 16:27:18 +02:00
Florian Roth
4755027693 US-CERT TA17-293A - Part 1 - Filename, Hash, C2 IOCs
https://www.us-cert.gov/ncas/alerts/TA17-293A
2017-10-21 16:26:07 +02:00
Florian Roth
7db1c95466 Added AirBnb / BinaryAlert YARA rules in new vendor directory 2017-10-20 11:21:49 +02:00
Florian Roth
43d5b1737f Bugfix in Puppy RAT rule 2017-10-20 09:54:59 +02:00
Florian Roth
cda2de3d94 HKDoor report IOCs 2017-10-19 12:01:37 +02:00
Florian Roth
bd33c27075 OilRig filename IOCs 2017-10-19 12:01:23 +02:00
Florian Roth
8e01421bc4 Leviathan APT - Maritime and Defense Targets
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
2017-10-19 09:34:07 +02:00
Florian Roth
75101b02ce Black Oasis IOCs 2017-10-19 09:30:40 +02:00
Florian Roth
32fe1a4906 OilRig YARA rules derived from PaloAltoNetwork reports Sep/Oct 17 2017-10-19 09:29:59 +02:00
Florian Roth
1f8312fad0 Replaced non-ASCII character 2017-10-19 01:17:59 +02:00
Florian Roth
8da0b76701 False Positive Reduction - apply to files only (not memory) 2017-10-18 21:58:57 +02:00
Florian Roth
6f3e4bd79c Activate pe.imphash() expressions in my rules 2017-10-18 21:58:30 +02:00
Florian Roth
2ffd97c1d9 HKDoor Rules by Cylance Inc.
https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html
2017-10-18 21:57:37 +02:00
Florian Roth
ae643f78d9 FEIB Report - by BEA systems
https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html
2017-10-17 08:31:59 +02:00
Florian Roth
8c994452c4 Improved Reflective Loaders Rule 2017-10-15 10:53:06 +02:00
Florian Roth
04b278d87b Bronze Butler malware
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
2017-10-15 10:52:49 +02:00
Florian Roth
568aa89d4f PowerShell Casing Anomaly Adjustments 2017-10-14 23:00:13 +02:00
Florian Roth
3f27b85df6 False Positive Reduction 2017-10-14 12:59:00 +02:00
Florian Roth
430b1b88a2 Saudi Aramco Phishing campaign malware 2017-10-12 09:15:20 +02:00
Florian Roth
96d9ba4858 Results for the DDEAUTO rules are much better 2017-10-11 20:58:16 +02:00
Florian Roth
d3f19e9bf4 Too many false positives 2017-10-11 20:46:16 +02:00
Florian Roth
dca5a3dcf7 Missing PE module imports, minor changes 2017-10-11 18:43:19 +02:00
Florian Roth
ae9f920a2a Reduced score due to possible false positives 2017-10-11 16:21:43 +02:00
Florian Roth
364da99da5 Decting DDE in Office Docs - Sigs by NVISO Labs
https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
2017-10-11 14:10:38 +02:00
Florian Roth
d4f661decc False Positive Reduction 2017-10-11 10:57:01 +02:00
Florian Roth
adf95a4396 Combined PS Anomaly rules to a single rule 2017-10-11 10:37:33 +02:00
Florian Roth
30f2d84d53 PS Anomaly - New version missed other positives / including both versions 2017-10-11 10:13:10 +02:00
Florian Roth
12ea6bc9bf Backdoor Snarasite 2017-10-08 00:14:03 +02:00
Florian Roth
3aad0049ec Backdoor Banker Corkow
https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf
2017-10-08 00:13:52 +02:00
Florian Roth
5c889db4a9 FreeMilk YARA rules bugfix - thx to M. Selck 2017-10-06 23:54:13 +02:00