Florian Roth
|
bd33c27075
|
OilRig filename IOCs
|
2017-10-19 12:01:23 +02:00 |
|
Florian Roth
|
8e01421bc4
|
Leviathan APT - Maritime and Defense Targets
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
|
2017-10-19 09:34:07 +02:00 |
|
Florian Roth
|
75101b02ce
|
Black Oasis IOCs
|
2017-10-19 09:30:40 +02:00 |
|
Florian Roth
|
32fe1a4906
|
OilRig YARA rules derived from PaloAltoNetwork reports Sep/Oct 17
|
2017-10-19 09:29:59 +02:00 |
|
Florian Roth
|
1f8312fad0
|
Replaced non-ASCII character
|
2017-10-19 01:17:59 +02:00 |
|
Florian Roth
|
8da0b76701
|
False Positive Reduction - apply to files only (not memory)
|
2017-10-18 21:58:57 +02:00 |
|
Florian Roth
|
6f3e4bd79c
|
Activate pe.imphash() expressions in my rules
|
2017-10-18 21:58:30 +02:00 |
|
Florian Roth
|
2ffd97c1d9
|
HKDoor Rules by Cylance Inc.
https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html
|
2017-10-18 21:57:37 +02:00 |
|
Florian Roth
|
ae643f78d9
|
FEIB Report - by BEA systems
https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html
|
2017-10-17 08:31:59 +02:00 |
|
Florian Roth
|
8c994452c4
|
Improved Reflective Loaders Rule
|
2017-10-15 10:53:06 +02:00 |
|
Florian Roth
|
04b278d87b
|
Bronze Butler malware
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
|
2017-10-15 10:52:49 +02:00 |
|
Florian Roth
|
568aa89d4f
|
PowerShell Casing Anomaly Adjustments
|
2017-10-14 23:00:13 +02:00 |
|
Florian Roth
|
3f27b85df6
|
False Positive Reduction
|
2017-10-14 12:59:00 +02:00 |
|
Florian Roth
|
430b1b88a2
|
Saudi Aramco Phishing campaign malware
|
2017-10-12 09:15:20 +02:00 |
|
Florian Roth
|
96d9ba4858
|
Results for the DDEAUTO rules are much better
|
2017-10-11 20:58:16 +02:00 |
|
Florian Roth
|
d3f19e9bf4
|
Too many false positives
|
2017-10-11 20:46:16 +02:00 |
|
Florian Roth
|
dca5a3dcf7
|
Missing PE module imports, minor changes
|
2017-10-11 18:43:19 +02:00 |
|
Florian Roth
|
ae9f920a2a
|
Reduced score due to possible false positives
|
2017-10-11 16:21:43 +02:00 |
|
Florian Roth
|
364da99da5
|
Decting DDE in Office Docs - Sigs by NVISO Labs
https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
|
2017-10-11 14:10:38 +02:00 |
|
Florian Roth
|
d4f661decc
|
False Positive Reduction
|
2017-10-11 10:57:01 +02:00 |
|
Florian Roth
|
adf95a4396
|
Combined PS Anomaly rules to a single rule
|
2017-10-11 10:37:33 +02:00 |
|
Florian Roth
|
30f2d84d53
|
PS Anomaly - New version missed other positives / including both versions
|
2017-10-11 10:13:10 +02:00 |
|
Florian Roth
|
12ea6bc9bf
|
Backdoor Snarasite
|
2017-10-08 00:14:03 +02:00 |
|
Florian Roth
|
3aad0049ec
|
Backdoor Banker Corkow
https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf
|
2017-10-08 00:13:52 +02:00 |
|
Florian Roth
|
5c889db4a9
|
FreeMilk YARA rules bugfix - thx to M. Selck
|
2017-10-06 23:54:13 +02:00 |
|
Florian Roth
|
97c97a803c
|
Uncommon size adjustments for new Win10 files
|
2017-10-06 10:19:51 +02:00 |
|
Florian Roth
|
dbec537768
|
FreeMilk APT - Palo Alto Networks Report
https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/
|
2017-10-05 20:42:55 +02:00 |
|
Florian Roth
|
3e7c48c5ee
|
Fixed regular expressions in filename IOCs
|
2017-10-05 16:06:46 +02:00 |
|
Florian Roth
|
3560d720f7
|
URL file pointing to local EXE
|
2017-10-04 14:42:34 +02:00 |
|
Florian Roth
|
f44c9b9fcb
|
PowerShell improved casing anomaly rule, WScript anomaly rule
|
2017-10-03 19:36:54 +02:00 |
|
Florian Roth
|
354ea043bb
|
Hacktool RedSails
https://github.com/BeetleChunks/redsails
|
2017-10-03 19:36:17 +02:00 |
|
Florian Roth
|
3ea15953b9
|
WinDivert Driver - PUA: User mode packet capturing driver
|
2017-10-03 19:35:49 +02:00 |
|
Florian Roth
|
2b6cc72f64
|
CMSTAR Malware
https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/
|
2017-10-03 19:35:15 +02:00 |
|
Florian Roth
|
8574935d17
|
APT17 Malware September 2017
http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/
|
2017-10-03 19:34:53 +02:00 |
|
Florian Roth
|
1d8093a9de
|
New suspicious PowerShell scripts
|
2017-10-01 00:24:31 +02:00 |
|
Florian Roth
|
8b3a138995
|
Minor changes to rule FP exclusions
|
2017-09-29 08:47:22 +02:00 |
|
Florian Roth
|
f15d1fef2a
|
Xtreme RAT Sigs
|
2017-09-29 08:46:42 +02:00 |
|
Florian Roth
|
ae82dd03a8
|
False Positive Reduction
|
2017-09-27 16:35:14 +02:00 |
|
Florian Roth
|
c5737c7c37
|
Microcin YARA rules
derived from samples in report https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf
|
2017-09-27 16:34:34 +02:00 |
|
Florian Roth
|
78ff581ede
|
Removed false positive rule
|
2017-09-27 16:34:24 +02:00 |
|
Florian Roth
|
558c99efc0
|
Invoke-Metasploit
|
2017-09-24 10:22:19 +02:00 |
|
Florian Roth
|
5226344c35
|
Sharpire
|
2017-09-24 10:22:09 +02:00 |
|
Florian Roth
|
dde5dd8bce
|
Webshell Alfa Shell
|
2017-09-22 08:44:03 +02:00 |
|
Florian Roth
|
b0e79303e0
|
False Positive Reduction
|
2017-09-21 08:36:25 +02:00 |
|
Florian Roth
|
6bd3d07baa
|
More malicious CCleaner hashes
|
2017-09-18 16:20:17 +02:00 |
|
Florian Roth
|
4699b5d732
|
Malicious CCleaner versions
|
2017-09-18 15:56:08 +02:00 |
|
Florian Roth
|
ddefcaa510
|
Vulnerable Apache Struts versions by @DCSO_de @DCSO
https://github.com/DCSO/vulninfos/tree/master/ApacheStrutsVulnerabilities
|
2017-09-16 08:36:57 +02:00 |
|
Florian Roth
|
bf93fe559b
|
Improved Exploits CVE-2017-8759
|
2017-09-16 08:34:51 +02:00 |
|
Florian Roth
|
a2f765d1da
|
Corrected wording
|
2017-09-15 20:25:23 +02:00 |
|
Florian Roth
|
cb99556460
|
Exploits CVE-2017-8759
|
2017-09-15 20:23:51 +02:00 |
|