John Lambert
7ef2cad740
Create SUSP_autocad_lsp_malware.yar
2019-02-07 16:05:49 -08:00
Florian Roth
ab3b967216
Minor changes
2019-02-07 18:09:34 +01:00
John Lambert
eba6596861
Create gen_macro_StarOffice_suspicious.yar
...
Performed a retrohunt to narrow down to the malicious hashes listed
2019-02-07 09:06:43 -08:00
Florian Roth
ec6bcf6edd
Changed filename
2019-02-07 09:48:08 +01:00
Florian Roth
ca3960b70e
Merge pull request #58 from JohnLaTwC/patch-9
...
Create gen_libre_office_CVE_2018_16858.yar
2019-02-05 19:54:33 +01:00
Florian Roth
312f78bfa3
Minor changes: rule name, nocase, removed size
2019-02-05 17:01:41 +01:00
John Lambert
2199580487
Create gen_libre_office_CVE_2018_16858.yar
2019-02-05 07:20:56 -08:00
Florian Roth
74c8970f95
Suspicious Katz.PDB
2019-02-05 09:11:43 +01:00
Florian Roth
fbe8852a9a
Extended suspicious LNK file content rule
2019-02-05 09:11:33 +01:00
Florian Roth
146d0e9ae1
Suspicious big LNK file
2019-02-05 09:11:16 +01:00
Florian Roth
30352f327e
ExileRAT
...
https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html
2019-02-04 20:44:06 +01:00
Florian Roth
0ee2f3d05f
New Crypto Coin miner rule
2019-02-02 17:14:44 +01:00
Florian Roth
e99f7237f2
Rule improvements
2019-02-02 17:14:44 +01:00
John Lambert
7bfd6e14da
Update gen_macro_ShellExecute_action.yar
2019-01-31 19:38:50 -08:00
Florian Roth
4dafd62d5e
APT DNS Hijacking campaign AA19-024A
...
https://www.us-cert.gov/ncas/alerts/AA19-024A
2019-01-29 15:31:54 +01:00
Florian Roth
6332f7c6ca
Kitty Fork Putty FP
2019-01-29 15:31:54 +01:00
Florian Roth
7564e6e8e6
False Positive Reduction
...
https://github.com/Neo23x0/signature-base/issues/54
2019-01-24 11:03:01 +01:00
Florian Roth
b5f6c82040
Suspicious RTF header anomaly
2019-01-20 17:36:32 +01:00
Florian Roth
e3bee33094
False Positive Reduction
2019-01-20 17:36:18 +01:00
Florian Roth
caef03b95b
fix: moved lsadump rule from general rules to the ext vars file
2019-01-19 12:22:32 +01:00
Florian Roth
ccd0b61cfd
bugfix: PowerShell_Susp_Parameter_Combo
2019-01-17 13:18:07 +01:00
Florian Roth
ca7f252dc0
False Positive Reduction
2019-01-17 13:12:39 +01:00
Florian Roth
c0b0167e7b
That's great
2019-01-16 19:29:40 +01:00
Florian Roth
e1262a718e
I'd adjust it like that
2019-01-16 19:27:29 +01:00
Jeff Beley
3fa7540094
Added rules for a tiny webshell and a go based htran variant
2019-01-16 10:58:25 -06:00
Florian Roth
32182ab8ff
Nitol Malware
2019-01-14 11:20:18 +01:00
Florian Roth
6d0e6bc997
Update gen_bad_pdf.yar
2019-01-10 11:28:31 +01:00
Clément Notin
a61ab94eff
gen_bad_pdf.yar: fix detection of Metasploit generated files
2019-01-10 10:49:55 +01:00
John Lambert
0de78e6654
Create gen_macro_ShellExecute_action.yar
...
Rule finds VBA macro samples that use the ShellExecute "evasion" method specified in the tweet mentioned in the rule.
2019-01-08 12:22:19 -08:00
Florian Roth
4349f58d37
Score adjustments
2019-01-08 09:18:54 +01:00
Florian Roth
9a0e7a44fb
Cryp RAT
2019-01-08 09:18:45 +01:00
Florian Roth
7216c088b0
JAVA class with VBS content
2019-01-07 13:28:06 +01:00
Florian Roth
6d9577a703
Putty anormal file sizes
2019-01-07 13:27:31 +01:00
Florian Roth
03f109c14e
Improved script obfuscation rule
2019-01-03 11:04:14 +01:00
Florian Roth
9eec73061a
APT28 Zebrocy Golang Loader by @VK_Intel
...
https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html
2019-01-02 09:19:09 +01:00
Florian Roth
d26a5045d9
Ryuk Ransomware
2018-12-31 14:56:56 +01:00
Florian Roth
2fb2bd2481
fix: removed duplicate rule
2018-12-29 17:00:19 +01:00
Florian Roth
b6920c0d0c
Moved NK miner to generic list
2018-12-29 09:31:57 +01:00
Florian Roth
82a91c8d6c
Update on crypto coin miner
2018-12-29 09:31:14 +01:00
Florian Roth
819c4f2ac5
fix: missing "pe" import
2018-12-29 09:20:24 +01:00
Florian Roth
0b96d7131d
APT10 rule update with imphash rule
2018-12-29 09:17:56 +01:00
Florian Roth
900796dcdf
Hacktool NoPowerShell
2018-12-28 14:57:03 +01:00
Florian Roth
046b5736d0
YARA rule description cleanup
2018-12-28 12:38:31 +01:00
Florian Roth
cf85a7cd31
YARA rule svchosts
2018-12-22 09:12:34 +01:00
Florian Roth
72eaa194ae
Area1 Phishing Diplomacy Rules
2018-12-19 19:17:51 +01:00
Florian Roth
f73324aa1a
Minor adjustments in gen_malware_MacOS_plist_suspicious rule
2018-12-16 10:10:42 +01:00
John Lambert
bd8185482f
Detect suspicious MacOS launch agent config files
...
plist files contain configuration for user-specific background jobs in OSX. Malware abuses this feature for persistence. Coin miners have been seen to use this feature as well.
2018-12-14 13:55:31 -08:00
Florian Roth
13b238f39f
Fixed character formatting to wide in SUSP_Scheduled_Task_BigSize
2018-12-14 08:58:10 +01:00
Florian Roth
1b959e2a3b
False Positives on Exchange with SUSP_Scheduled_Task_BigSize
2018-12-14 08:55:48 +01:00
Florian Roth
e4dd8c610c
Fixed some dates
2018-12-14 08:55:27 +01:00