Commit Graph

1064 Commits

Author SHA1 Message Date
Florian Roth
03f109c14e Improved script obfuscation rule 2019-01-03 11:04:14 +01:00
Florian Roth
9eec73061a APT28 Zebrocy Golang Loader by @VK_Intel
https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html
2019-01-02 09:19:09 +01:00
Florian Roth
d26a5045d9 Ryuk Ransomware 2018-12-31 14:56:56 +01:00
Florian Roth
2fb2bd2481 fix: removed duplicate rule 2018-12-29 17:00:19 +01:00
Florian Roth
b6920c0d0c Moved NK miner to generic list 2018-12-29 09:31:57 +01:00
Florian Roth
82a91c8d6c Update on crypto coin miner 2018-12-29 09:31:14 +01:00
Florian Roth
819c4f2ac5 fix: missing "pe" import 2018-12-29 09:20:24 +01:00
Florian Roth
0b96d7131d APT10 rule update with imphash rule 2018-12-29 09:17:56 +01:00
Florian Roth
900796dcdf Hacktool NoPowerShell 2018-12-28 14:57:03 +01:00
Florian Roth
046b5736d0 YARA rule description cleanup 2018-12-28 12:38:31 +01:00
Florian Roth
5710d22af2 APT10 IOCs - all publicly available IOCs from AlienVault OTX 2018-12-28 12:38:08 +01:00
Florian Roth
cf85a7cd31 YARA rule svchosts 2018-12-22 09:12:34 +01:00
Florian Roth
4f666da806 Reference to Valhalla rule feed 2018-12-22 09:11:51 +01:00
Florian Roth
72eaa194ae Area1 Phishing Diplomacy Rules 2018-12-19 19:17:51 +01:00
Florian Roth
f73324aa1a Minor adjustments in gen_malware_MacOS_plist_suspicious rule 2018-12-16 10:10:42 +01:00
Florian Roth
dd044b0278
Merge pull request #48 from JohnLaTwC/patch-6
Detect suspicious MacOS launch agent config files
2018-12-16 09:53:17 +01:00
John Lambert
bd8185482f
Detect suspicious MacOS launch agent config files
plist files contain configuration for user-specific background jobs in OSX. Malware abuses this feature for persistence. Coin miners have been seen to use this feature as well.
2018-12-14 13:55:31 -08:00
Florian Roth
13b238f39f Fixed character formatting to wide in SUSP_Scheduled_Task_BigSize 2018-12-14 08:58:10 +01:00
Florian Roth
1b959e2a3b False Positives on Exchange with SUSP_Scheduled_Task_BigSize 2018-12-14 08:55:48 +01:00
Florian Roth
e4dd8c610c Fixed some dates 2018-12-14 08:55:27 +01:00
Florian Roth
37582f20d3 Removed duplicates that appear 3 times in list 2018-12-13 14:25:24 +01:00
Florian Roth
e118b0c92e Rule: Powershell Obfuscation 2018-12-13 14:25:01 +01:00
Florian Roth
826446a785 Low scoring rule: Anomaly - Linux UPX compressed binaries 2018-12-13 14:24:41 +01:00
Florian Roth
ab5ac55a1b New HawkEye keylogger rule 2018-12-12 09:24:12 +01:00
Florian Roth
a22874af46 Lazagne Password Dumper 2018-12-11 15:12:42 +01:00
Florian Roth
80a090685d False Positive Reduction and Cleanup 2018-12-11 15:08:39 +01:00
Florian Roth
9d38c8f4b3 Suspicious Scheduled Task BigSize 2018-12-07 08:20:44 +01:00
Florian Roth
2ed2af38f8 Suspicious Pirated Office 2007 2018-12-07 08:20:31 +01:00
Florian Roth
73bfc659da fix: bugfix in SSHDoor rule - missing "and" 2018-12-05 21:03:24 +01:00
Florian Roth
a2c2478527 Limited SSHDoor rule to ELF to avoid false positives 2018-12-05 21:00:25 +01:00
Florian Roth
63010d1954 Linux/SSHDoor - Triton related by ESET - modified version
https://github.com/eset/malware-ioc/tree/master/sshdoor
2018-12-05 20:58:02 +01:00
Florian Roth
0a3567621b fix: bugfix in generic_anomalies rule 2018-12-01 13:32:26 +01:00
Florian Roth
9291c8c9a1 fix: bugfix in general_anomalies.yar rule 2018-12-01 13:02:18 +01:00
Florian Roth
8cd247169a False Positive Reduction 2018-12-01 08:33:33 +01:00
Florian Roth
3d1088575d DNSPIONAGE
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
2018-12-01 08:33:20 +01:00
Florian Roth
db9ea97d62 fix: missing pe import 2018-11-23 08:38:19 +01:00
Florian Roth
8a22d4d403 Removed duplicate rules 2018-11-23 08:33:07 +01:00
Florian Roth
9d1848627d Removed duplicate rules 2018-11-23 08:32:57 +01:00
Florian Roth
0f6acf4674 Turla PNG dropper
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
2018-11-23 08:32:10 +01:00
Florian Roth
16e70f3d2e APT28 Cannon Trojan 2018-11-21 21:29:31 +01:00
Florian Roth
79f9a0fb4c Suspicious Office Droppers 2018-11-21 11:18:05 +01:00
Florian Roth
1b0fc045a4 Added David to the authors 2018-11-15 17:25:58 +01:00
Florian Roth
c6c86e7eca Nick's rule for Base64 encoded PS1 shellcode 2018-11-15 15:12:30 +01:00
Florian Roth
5e0adc108b Added LOKI / SPARK specific rule to thor's inverse set 2018-11-15 09:23:01 +01:00
Florian Roth
427c221d42 Suspicious renamed Dot1Xtray rule DLL-Sideloading 2018-11-15 09:21:21 +01:00
Florian Roth
1dd9a238be JexBoss Webshells 2018-11-09 08:42:39 +01:00
Florian Roth
061e7bd3f5 Renamed DriveCrypt rule 2018-11-09 08:28:21 +01:00
Florian Roth
3dc1826e89 New JRAT rule 2018-11-09 08:28:05 +01:00
Florian Roth
860e9cd600 Backnet Open Source C# backdoor 2018-11-09 08:27:53 +01:00
Florian Roth
2ae56a9b21 JPCERT CobaltStrike beacon rule 2018-11-09 08:27:38 +01:00