valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
940 Commits 2 Branches 1 Tag 33 MiB
7c7ae36887
Commit Graph

700 Commits

Author SHA1 Message Date
Florian Roth
2fb2bd2481 fix: removed duplicate rule 2018-12-29 17:00:19 +01:00
Florian Roth
b6920c0d0c Moved NK miner to generic list 2018-12-29 09:31:57 +01:00
Florian Roth
82a91c8d6c Update on crypto coin miner 2018-12-29 09:31:14 +01:00
Florian Roth
819c4f2ac5 fix: missing "pe" import 2018-12-29 09:20:24 +01:00
Florian Roth
0b96d7131d APT10 rule update with imphash rule 2018-12-29 09:17:56 +01:00
Florian Roth
900796dcdf Hacktool NoPowerShell 2018-12-28 14:57:03 +01:00
Florian Roth
046b5736d0 YARA rule description cleanup 2018-12-28 12:38:31 +01:00
Florian Roth
cf85a7cd31 YARA rule svchosts 2018-12-22 09:12:34 +01:00
Florian Roth
72eaa194ae Area1 Phishing Diplomacy Rules 2018-12-19 19:17:51 +01:00
Florian Roth
f73324aa1a Minor adjustments in gen_malware_MacOS_plist_suspicious rule 2018-12-16 10:10:42 +01:00
John Lambert
bd8185482f
Detect suspicious MacOS launch agent config files 
plist files contain configuration for user-specific background jobs in OSX. Malware abuses this feature for persistence. Coin miners have been seen to use this feature as well.
 2018-12-14 13:55:31 -08:00
Florian Roth
13b238f39f Fixed character formatting to wide in SUSP_Scheduled_Task_BigSize 2018-12-14 08:58:10 +01:00
Florian Roth
1b959e2a3b False Positives on Exchange with SUSP_Scheduled_Task_BigSize 2018-12-14 08:55:48 +01:00
Florian Roth
e4dd8c610c Fixed some dates 2018-12-14 08:55:27 +01:00
Florian Roth
e118b0c92e Rule: Powershell Obfuscation 2018-12-13 14:25:01 +01:00
Florian Roth
826446a785 Low scoring rule: Anomaly - Linux UPX compressed binaries 2018-12-13 14:24:41 +01:00
Florian Roth
ab5ac55a1b New HawkEye keylogger rule 2018-12-12 09:24:12 +01:00
Florian Roth
a22874af46 Lazagne Password Dumper 2018-12-11 15:12:42 +01:00
Florian Roth
80a090685d False Positive Reduction and Cleanup 2018-12-11 15:08:39 +01:00
Florian Roth
9d38c8f4b3 Suspicious Scheduled Task BigSize 2018-12-07 08:20:44 +01:00
Florian Roth
2ed2af38f8 Suspicious Pirated Office 2007 2018-12-07 08:20:31 +01:00
Florian Roth
73bfc659da fix: bugfix in SSHDoor rule - missing "and" 2018-12-05 21:03:24 +01:00
Florian Roth
a2c2478527 Limited SSHDoor rule to ELF to avoid false positives 2018-12-05 21:00:25 +01:00
Florian Roth
63010d1954 Linux/SSHDoor - Triton related by ESET - modified version 
https://github.com/eset/malware-ioc/tree/master/sshdoor
 2018-12-05 20:58:02 +01:00
Florian Roth
0a3567621b fix: bugfix in generic_anomalies rule 2018-12-01 13:32:26 +01:00
Florian Roth
9291c8c9a1 fix: bugfix in general_anomalies.yar rule 2018-12-01 13:02:18 +01:00
Florian Roth
8cd247169a False Positive Reduction 2018-12-01 08:33:33 +01:00
Florian Roth
3d1088575d DNSPIONAGE 
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
 2018-12-01 08:33:20 +01:00
Florian Roth
db9ea97d62 fix: missing pe import 2018-11-23 08:38:19 +01:00
Florian Roth
8a22d4d403 Removed duplicate rules 2018-11-23 08:33:07 +01:00
Florian Roth
9d1848627d Removed duplicate rules 2018-11-23 08:32:57 +01:00
Florian Roth
0f6acf4674 Turla PNG dropper 
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
 2018-11-23 08:32:10 +01:00
Florian Roth
16e70f3d2e APT28 Cannon Trojan 2018-11-21 21:29:31 +01:00
Florian Roth
79f9a0fb4c Suspicious Office Droppers 2018-11-21 11:18:05 +01:00
Florian Roth
1b0fc045a4 Added David to the authors 2018-11-15 17:25:58 +01:00
Florian Roth
c6c86e7eca Nick's rule for Base64 encoded PS1 shellcode 2018-11-15 15:12:30 +01:00
Florian Roth
5e0adc108b Added LOKI / SPARK specific rule to thor's inverse set 2018-11-15 09:23:01 +01:00
Florian Roth
427c221d42 Suspicious renamed Dot1Xtray rule DLL-Sideloading 2018-11-15 09:21:21 +01:00
Florian Roth
1dd9a238be JexBoss Webshells 2018-11-09 08:42:39 +01:00
Florian Roth
061e7bd3f5 Renamed DriveCrypt rule 2018-11-09 08:28:21 +01:00
Florian Roth
3dc1826e89 New JRAT rule 2018-11-09 08:28:05 +01:00
Florian Roth
860e9cd600 Backnet Open Source C# backdoor 2018-11-09 08:27:53 +01:00
Florian Roth
2ae56a9b21 JPCERT CobaltStrike beacon rule 2018-11-09 08:27:38 +01:00
Florian Roth
f0edb3c047 Suspicious size of ASUS tuning tool 2018-10-30 09:41:59 +01:00
Florian Roth
385c91446e Suspicious Win32dll string 2018-10-30 09:41:46 +01:00
Florian Roth
4e5c40cc93 Cobalt Gang Rule by PaloAltoNetwroks 
https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/
 2018-10-30 09:17:04 +01:00
Florian Roth
a364ab0cc7 Updated Mirai rules 2018-10-27 21:58:34 +02:00
Florian Roth
91ad6d20a4 Grey Energy 
https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/
 2018-10-22 00:40:07 +02:00
Florian Roth
2498a802eb jQuery File Upload Vulnerability 
https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/
 2018-10-19 09:07:37 +02:00
Florian Roth
f6fb2a2d22 Hacktool SqlMap update 2018-10-19 09:06:24 +02:00
Florian Roth
c8d3a207a8 False Positive Reduction 2018-10-19 09:06:10 +02:00
Florian Roth
a62eeef8ba Suspicious IEX PowerShell Combo 2018-10-10 16:30:50 +02:00
Florian Roth
ee33d93858 Suspicious String Obfuscation Concat 2018-10-10 16:30:32 +02:00
Florian Roth
ce17d9ab65 False Positive Reduction 2018-10-10 16:30:08 +02:00
Florian Roth
a7cbf7b9c7 Suspicious SFX running wscript.exe 2018-09-28 13:29:43 +02:00
Florian Roth
7dd457c5b3 Suspicious CMD Var expansion in Office Docs 2018-09-28 13:29:35 +02:00
Florian Roth
a907fd2210 False Positive Reduction 
https://github.com/Neo23x0/signature-base/issues/44
 2018-09-24 12:30:09 +02:00
Florian Roth
d6a2d00cb7 Xbash 
https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
 2018-09-20 07:38:08 +02:00
Florian Roth
265ad6fba8 Suspicious LNK files 2018-09-19 08:51:23 +02:00
Florian Roth
9412f650d8 Fix: tightened the SFX rule 2018-09-17 08:27:58 +02:00
Florian Roth
954bb96328 Anomaly: SFX with Microsoft Copyright 2018-09-17 08:21:16 +02:00
Florian Roth
f2984271d4 Generic rule: Suspicious office dropper strings 2018-09-14 00:24:44 +02:00
Florian Roth
3efa3f9648 BlackBone Driver Injector 2018-09-11 13:34:44 +02:00
Florian Roth
eed7fcdf4c False Positive Reduction 2018-09-11 13:34:14 +02:00
Florian Roth
1d3baf823b Fixed error in RC4 keys list 2018-08-26 20:16:40 +02:00
Florian Roth
7c8745c59e License notice on my own rules, removed rules with unclear/problematic licensing 2018-08-26 12:48:01 +02:00
Florian Roth
3281e6dc72 APT Lazarus Operation Applejeus YARA rules 2018-08-26 12:48:01 +02:00
Florian Roth
3fb661511c Modified mimikatz rule to exclude low performing expr 2018-08-26 12:48:01 +02:00
Florian Roth
4a1deff33c DriveCrypt exploits 2018-08-22 11:10:00 +02:00
Florian Roth
8ddab9bd5a False Positive Reduction https://github.com/Neo23x0/signature-base/issues/42 2018-08-22 11:09:39 +02:00
Florian Roth
5d4ed2203d fix: fixed typo in rule name 2018-08-21 11:09:06 +02:00
Florian Roth
e3d60d7899 Metasploit Framework UA 2018-08-21 10:59:12 +02:00
Florian Roth
a30f16f056 False Positive Reduction 2018-08-21 10:58:45 +02:00
Florian Roth
9020d1f005 More HiddenCobra rules 
https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
 2018-08-13 16:27:03 +02:00
Florian Roth
1ee9142dc5 Improved certificate payload rule 2018-08-02 15:47:42 +02:00
Florian Roth
62400d7324 fix: missing import "pe" statement 2018-08-02 12:20:24 +02:00
Florian Roth
5141e33893 YARA rules for sample in FireEye's FIN7 report 
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
 2018-08-02 12:15:01 +02:00
Florian Roth
1ba9e9f57f DarkHydrus YARA rules 2018-08-02 11:51:03 +02:00
Florian Roth
3e9a1a5579 Certificate Payloads 2018-08-02 11:50:29 +02:00
Florian Roth
9bdccc2360 Hacktools: BeRoot, PDF Embedded Mal Code 2018-07-27 13:25:10 +02:00
Florian Roth
0cd91f3afe FancyBear MacOS Agent 2018-07-16 11:44:59 -06:00
Florian Roth
1bea712d70 False Positive Reduction 2018-07-16 11:44:41 -06:00
Florian Roth
24a899602e fix: Added missing import statement for "pe" module 2018-07-14 08:06:35 -06:00
Florian Roth
af76f26aa3 Big Bang report by Check Point 
https://research.checkpoint.com/apt-attack-middle-east-big-bang/
 2018-07-14 07:58:52 -06:00
Florian Roth
e6d6825c94 Monero miner update 2018-07-06 16:07:00 -06:00
Florian Roth
c2634bfa23 APT Rancor 
https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/
 2018-06-27 07:57:03 +02:00
Florian Roth
4122386cba Limited Cloud Hopper Rule 2018-06-25 10:57:21 +02:00
Florian Roth
93f62d8300 Hacktool PowerSploit Dropper 2018-06-24 22:44:28 +02:00
Florian Roth
5f87e74c00 Tick Weaponized USB 2018-06-24 22:44:11 +02:00
Florian Roth
1c41cd5d16 APT Thrip 
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
 2018-06-22 00:01:47 +02:00
Florian Roth
04a5426a14 Minor changes and adjustments 2018-06-22 00:00:14 +02:00
Florian Roth
c835b3a58c PLEAD Downloader 2018-06-16 17:40:31 +02:00
Florian Roth
3b25bd8a05 AR18-165 YARA rules 2018-06-16 17:40:18 +02:00
Florian Roth
e53539d7e4 Turla Agent.BTZ 2018-06-16 17:39:25 +02:00
Florian Roth
edfdb48bdc Score adjusted 2018-06-13 13:37:06 +02:00
Florian Roth
6dd31e254c New MuddyWater signature 2018-06-13 13:34:58 +02:00
Florian Roth
4a4a94fc9c Rules prone to false positives on process memory to "file" only 2018-06-13 08:30:02 +02:00
Florian Roth
c42709fe0d BluenoroffPoS DLL 
http://blog.trex.re.kr/
 2018-06-08 21:12:24 +02:00
Florian Roth
be2315b3cf False Positive Reduction 2018-06-08 21:11:39 +02:00
Florian Roth
8f48aa959b APT Lazarus RAT & Dropper 
https://twitter.com/DrunkBinary/status/1002587521073721346
 2018-06-03 00:28:59 +02:00