Commit Graph

656 Commits

Author SHA1 Message Date
Florian Roth
721841fe94 Generic CryptoMiner rule 2018-01-05 16:17:38 +01:00
Florian Roth
606079efd0 NetWire RAT
https://pastebin.com/8qaiyPxs
2018-01-05 16:17:17 +01:00
Florian Roth
c992aec773 Xmrig XMR / Monero crypto mining software
https://github.com/xmrig/xmrig
2018-01-04 13:20:02 +01:00
Florian Roth
1edb995f29 VBS Dropper 2018-01-03 12:26:59 +01:00
Florian Roth
47c9072b5a Updated hash whitelist in threat intel receiver 2018-01-03 00:19:37 +01:00
Florian Roth
e486ade31a Removed Cylance notepad.exe false positive hash 2018-01-03 00:19:06 +01:00
Florian Roth
6d9828029b Typo in Merlin rule 2017-12-29 15:15:57 +01:00
Florian Roth
f53a55c21e Merlin Agent 2017-12-29 15:13:55 +01:00
Florian Roth
0ac77c2efb Suspicious recon strings in file 2017-12-28 20:04:31 +01:00
Florian Roth
c778a07e38 RemCom Tool 2017-12-28 20:04:06 +01:00
Florian Roth
d1b0b90886 PowerShell Suite 2017-12-28 20:03:47 +01:00
Florian Roth
65a3a7b230 Hidden Cobra - BANKSHOT rules (my own and UC CERT's)
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
2017-12-26 21:14:26 +01:00
Florian Roth
8c39c997bf THOR Armitage rules sub set 2017-12-26 01:09:54 +01:00
Florian Roth
36e6757126 False Positive Reduction 2017-12-26 01:09:41 +01:00
Florian Roth
cadbe73482 Hidden Cobra Hash IOCs
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
2017-12-26 01:09:29 +01:00
Florian Roth
ecc050d96f Lazarus group malware
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new
2017-12-21 15:28:16 +01:00
Florian Roth
393671a275 Mimikatz log file type 2017-12-20 15:48:00 +01:00
Florian Roth
f0312d6a9d Mimikatz output file 2017-12-20 15:47:45 +01:00
Florian Roth
e7020d1e59 Lazarus Group Hashes
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new
2017-12-20 09:47:24 +01:00
Florian Roth
9b90d0c68c Invoke-PSImage
https://github.com/peewpw/Invoke-PSImage
2017-12-19 16:48:16 +01:00
Florian Roth
1f17d1f284 False Positive Reduction 2017-12-19 16:47:49 +01:00
Florian Roth
6ac7eff3ce Triton ICS malware hashes
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
2017-12-19 01:44:56 +01:00
Florian Roth
0214b89061 Disabled global rule to avoid the application in the concatenated rule set 2017-12-19 01:37:49 +01:00
Florian Roth
e58a67f5ad False Positive Reduction 2017-12-19 01:36:08 +01:00
Florian Roth
33560d9876 HatMan Sigs
https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware
2017-12-19 01:35:54 +01:00
Florian Roth
05a203dc7b False Positive Reduction 2017-12-17 23:55:33 +01:00
Florian Roth
ef4e347960 Suspicious Autoit by Microsoft 2017-12-16 15:43:56 +01:00
Florian Roth
0d4043a273 OTX filename and hash IOC update Dec 17 1 2017-12-16 13:22:06 +01:00
Florian Roth
201c5e55c3 OTX C2 IOC update - extracted IPv4 and IPv6 IOCs from default file 2017-12-16 13:21:38 +01:00
Florian Roth
9ba8762a64 Various changes, SIEM export options extended by Scott Carpenter 2017-12-16 13:20:50 +01:00
Florian Roth
7d526b9892 Minor changes, make it compatible with Python3 2017-12-16 13:18:27 +01:00
Florian Roth
142e856eca Lazarus group malware hash IOCs 2017-12-16 13:17:33 +01:00
Florian Roth
fef2d161cc APT Triton rule extended with my own rule 2017-12-16 10:47:55 +01:00
Florian Roth
8d7ae7128b OTX Hash IOCs: Update and False Positives removed 2017-12-15 14:30:00 +01:00
Florian Roth
c101ec5ea0 ICS Attack Framework TRITON
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
2017-12-14 16:23:43 +01:00
Florian Roth
2dde4ad69a ZXShell Update 2017-12-12 01:00:22 +01:00
Florian Roth
5f17ceeb5e APT xRAT
http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/
2017-12-12 01:00:00 +01:00
Florian Roth
c13e07a8b5 False Positive Reduction 2017-12-12 00:59:36 +01:00
Florian Roth
0e26cdfb37 Chrome file size anomaly false positive 2017-12-08 12:19:45 +01:00
Florian Roth
7d90aa1737 APT34 rules
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
2017-12-08 12:19:27 +01:00
Florian Roth
14137908cc False Positive Reduction 2017-12-07 15:23:59 +01:00
Florian Roth
ba3802d816 Universal exploit strings 2017-12-06 22:38:09 +01:00
Florian Roth
80c5113b02 Suspicious JS content 2017-12-06 22:37:57 +01:00
Florian Roth
41e0956fdc Remote Admin - tool 2017-12-06 22:37:40 +01:00
Florian Roth
2c1e768adc Charming Kitten Hash IOCs 2017-12-06 22:37:12 +01:00
Florian Roth
4c893df291 Carbanak Hash IOCs 2017-12-06 22:37:01 +01:00
Florian Roth
f34bf9d9c8 Reduced false positives with PowerShell casing anomaly rule 2017-11-30 15:13:36 +01:00
Florian Roth
2f9ac3fe8f UBoatRAT
https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/
2017-11-30 15:13:21 +01:00
Florian Roth
500e6c2da2 ROKRAT Update
http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html
2017-11-29 16:04:36 +01:00
Florian Roth
beb91736c3 Improved CVE 2017 8759 rule 2017-11-28 10:56:48 +01:00