valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
940 Commits 2 Branches 1 Tag 33 MiB
7c7ae36887
Commit Graph

700 Commits

Author SHA1 Message Date
Florian Roth
fe92bee246 FP: sublime package - recon commands 2019-02-26 11:46:00 +01:00
Florian Roth
cb46d0e0ba False Positive Reduction 2019-02-24 13:15:53 +01:00
Florian Roth
11bbd517f8 APT BabyShark rule 
https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
 2019-02-24 13:15:40 +01:00
Florian Roth
d0b1e17dec False Positive Reduction 2019-02-19 23:46:28 +01:00
Florian Roth
0448d97e8f FP: svchost.exe size 2019-02-19 12:53:01 +01:00
Florian Roth
8f7335c6ad Author adjustments 2019-02-19 08:25:27 +01:00
Florian Roth
4ed1ebc730 Improved suspicious LNK file rule 2019-02-19 08:25:15 +01:00
Florian Roth
63999ebad9 AUS parliament network compromise 
https://cyber.gov.au/government/news/parliament-house-network-compromise/
 2019-02-18 11:03:18 +01:00
Florian Roth
1b85e40833 Suspicious Word VBA Macro strings 2019-02-16 07:49:44 +01:00
Florian Roth
50b0a91ee0 FP: adjusted size of svchost.exe rule 2019-02-16 07:49:25 +01:00
Florian Roth
31be267244 Removed problematic string from rule 2019-02-14 08:42:04 +01:00
Florian Roth
77825e574c Merged suspicious Office Droppers rule with new rule 2019-02-13 08:27:24 +01:00
Florian Roth
692282b9d8 Renamed AutoCAD rule 2019-02-11 15:20:13 +01:00
Florian Roth
6a1f8cc3a0
0x28 is subset of other condition 2019-02-11 15:13:47 +01:00
John Lambert
7ef2cad740
Create SUSP_autocad_lsp_malware.yar 2019-02-07 16:05:49 -08:00
Florian Roth
ab3b967216
Minor changes 2019-02-07 18:09:34 +01:00
John Lambert
eba6596861
Create gen_macro_StarOffice_suspicious.yar 
Performed a retrohunt to narrow down to the malicious hashes listed
 2019-02-07 09:06:43 -08:00
Florian Roth
ec6bcf6edd Changed filename 2019-02-07 09:48:08 +01:00
Florian Roth
ca3960b70e
Merge pull request #58 from JohnLaTwC/patch-9 
Create gen_libre_office_CVE_2018_16858.yar
 2019-02-05 19:54:33 +01:00
Florian Roth
312f78bfa3
Minor changes: rule name, nocase, removed size 2019-02-05 17:01:41 +01:00
John Lambert
2199580487
Create gen_libre_office_CVE_2018_16858.yar 2019-02-05 07:20:56 -08:00
Florian Roth
74c8970f95 Suspicious Katz.PDB 2019-02-05 09:11:43 +01:00
Florian Roth
fbe8852a9a Extended suspicious LNK file content rule 2019-02-05 09:11:33 +01:00
Florian Roth
146d0e9ae1 Suspicious big LNK file 2019-02-05 09:11:16 +01:00
Florian Roth
30352f327e ExileRAT 
https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html
 2019-02-04 20:44:06 +01:00
Florian Roth
0ee2f3d05f New Crypto Coin miner rule 2019-02-02 17:14:44 +01:00
Florian Roth
e99f7237f2 Rule improvements 2019-02-02 17:14:44 +01:00
John Lambert
7bfd6e14da
Update gen_macro_ShellExecute_action.yar 2019-01-31 19:38:50 -08:00
Florian Roth
4dafd62d5e APT DNS Hijacking campaign AA19-024A 
https://www.us-cert.gov/ncas/alerts/AA19-024A
 2019-01-29 15:31:54 +01:00
Florian Roth
6332f7c6ca Kitty Fork Putty FP 2019-01-29 15:31:54 +01:00
Florian Roth
7564e6e8e6 False Positive Reduction 
https://github.com/Neo23x0/signature-base/issues/54
 2019-01-24 11:03:01 +01:00
Florian Roth
b5f6c82040 Suspicious RTF header anomaly 2019-01-20 17:36:32 +01:00
Florian Roth
e3bee33094 False Positive Reduction 2019-01-20 17:36:18 +01:00
Florian Roth
caef03b95b fix: moved lsadump rule from general rules to the ext vars file 2019-01-19 12:22:32 +01:00
Florian Roth
ccd0b61cfd bugfix: PowerShell_Susp_Parameter_Combo 2019-01-17 13:18:07 +01:00
Florian Roth
ca7f252dc0 False Positive Reduction 2019-01-17 13:12:39 +01:00
Florian Roth
c0b0167e7b
That's great 2019-01-16 19:29:40 +01:00
Florian Roth
e1262a718e
I'd adjust it like that 2019-01-16 19:27:29 +01:00
Jeff Beley
3fa7540094 Added rules for a tiny webshell and a go based htran variant 2019-01-16 10:58:25 -06:00
Florian Roth
32182ab8ff Nitol Malware 2019-01-14 11:20:18 +01:00
Florian Roth
6d0e6bc997
Update gen_bad_pdf.yar 2019-01-10 11:28:31 +01:00
Clément Notin
a61ab94eff
gen_bad_pdf.yar: fix detection of Metasploit generated files 2019-01-10 10:49:55 +01:00
John Lambert
0de78e6654
Create gen_macro_ShellExecute_action.yar 
Rule finds VBA macro samples that use the ShellExecute "evasion" method specified in the tweet mentioned in the rule.
 2019-01-08 12:22:19 -08:00
Florian Roth
4349f58d37 Score adjustments 2019-01-08 09:18:54 +01:00
Florian Roth
9a0e7a44fb Cryp RAT 2019-01-08 09:18:45 +01:00
Florian Roth
7216c088b0 JAVA class with VBS content 2019-01-07 13:28:06 +01:00
Florian Roth
6d9577a703 Putty anormal file sizes 2019-01-07 13:27:31 +01:00
Florian Roth
03f109c14e Improved script obfuscation rule 2019-01-03 11:04:14 +01:00
Florian Roth
9eec73061a APT28 Zebrocy Golang Loader by @VK_Intel 
https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html
 2019-01-02 09:19:09 +01:00
Florian Roth
d26a5045d9 Ryuk Ransomware 2018-12-31 14:56:56 +01:00