valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
809 Commits 2 Branches 1 Tag 33 MiB
91ad6d20a4
Commit Graph

603 Commits

Author SHA1 Message Date
Florian Roth
f51713750c False Positive Reduction 2018-02-07 14:39:28 +01:00
Florian Roth
fc18cc990f Scracruft APT malware 
https://twitter.com/craiu/status/959477129795731458
 2018-02-05 10:22:40 +01:00
Florian Roth
846f5ad86c OLE LoadSwf CVE 2018-4878 
https://www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/
 2018-02-05 10:20:19 +01:00
Florian Roth
f4a2b51773 Gold Dragon malware 
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
 2018-02-03 18:46:02 +01:00
Florian Roth
f96bd32fe6 Disabled DDEAUTO rule that slowed down scanning 2018-02-03 14:46:15 +01:00
Florian Roth
be02e262b0 Fixed False Postive for Taskmgr on Windows XP 2018-02-02 08:55:33 +01:00
Florian Roth
7c761e0463 Removed APT32 reference > Lotus Blossom 2018-01-31 23:56:02 +01:00
Florian Roth
13534b05c2 Bugfix in Elise rule 2018-01-31 23:27:11 +01:00
Florian Roth
ff7a1e6b99 APT32 Elise malware 
https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
 2018-01-31 23:26:23 +01:00
Florian Roth
75248fad5c Vermin Keylogger and Quasar RAT 
https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
 2018-01-30 11:08:57 +01:00
Florian Roth
8263b51229 TopHat campaign malware YARA rules 
https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/
 2018-01-29 09:00:09 +01:00
Florian Roth
58617146cd Missing import "pe" in Nidiran trojan rules 2018-01-28 17:15:17 +01:00
Florian Roth
97308ea71e Improved Suckfly's Nidiran trojan rules 2018-01-28 17:10:29 +01:00
Florian Roth
37678426bd OilRig RGDoor 2018-01-27 16:06:15 +01:00
Florian Roth
49aa97d855 Bugfix in thor-hacktools.yar > missing "pe" import 2018-01-24 20:17:04 +01:00
Florian Roth
95bd50cd19 Exclude false positives 2018-01-24 16:35:06 +01:00
Florian Roth
fff1af6822 Suspicious strings in OLE object - see reference for details 
https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/
 2018-01-24 12:40:40 +01:00
Florian Roth
a25c4986b8 Dark Caracal Mini RAT 2018-01-23 17:06:33 +01:00
Florian Roth
4bdd487d7f Envrial Credential Stealer 
https://twitter.com/malwrhunterteam/status/953313514629853184
 2018-01-22 08:47:09 +01:00
Florian Roth
321619dc51 OilRig IntelSecurityManager rules by Eyal Sela 2018-01-22 08:46:37 +01:00
Florian Roth
2f53083857 Turla malicious JavaScript 2018-01-22 08:46:03 +01:00
Florian Roth
547f608e81 Unspecified malware sample Jan 18 2018-01-22 08:45:44 +01:00
Florian Roth
5cd31380ef THOR's Mimikatz_Strings rule 2018-01-22 08:45:13 +01:00
Florian Roth
a1627b46f2 False Positive Reduction 2018-01-22 08:44:49 +01:00
Florian Roth
b8b9afb6c9 YARA rule for CVE-2018-0802 by Rich Warren 
https://github.com/rxwx/CVE-2018-0802/tree/master/yara
 2018-01-14 13:49:53 +01:00
Florian Roth
8c28cf612a YARA rule for CVE-2017-11882 by Rich Warren 
https://github.com/rxwx/CVE-2018-0802/tree/master/yara
 2018-01-14 13:49:40 +01:00
Florian Roth
befb06c4a1 North Korean Crypto Miner (by Chris Doman and me) 
https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner
 2018-01-10 08:36:13 +01:00
Florian Roth
721841fe94 Generic CryptoMiner rule 2018-01-05 16:17:38 +01:00
Florian Roth
606079efd0 NetWire RAT 
https://pastebin.com/8qaiyPxs
 2018-01-05 16:17:17 +01:00
Florian Roth
c992aec773 Xmrig XMR / Monero crypto mining software 
https://github.com/xmrig/xmrig
 2018-01-04 13:20:02 +01:00
Florian Roth
1edb995f29 VBS Dropper 2018-01-03 12:26:59 +01:00
Florian Roth
6d9828029b Typo in Merlin rule 2017-12-29 15:15:57 +01:00
Florian Roth
f53a55c21e Merlin Agent 2017-12-29 15:13:55 +01:00
Florian Roth
0ac77c2efb Suspicious recon strings in file 2017-12-28 20:04:31 +01:00
Florian Roth
c778a07e38 RemCom Tool 2017-12-28 20:04:06 +01:00
Florian Roth
d1b0b90886 PowerShell Suite 2017-12-28 20:03:47 +01:00
Florian Roth
65a3a7b230 Hidden Cobra - BANKSHOT rules (my own and UC CERT's) 
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
 2017-12-26 21:14:26 +01:00
Florian Roth
8c39c997bf THOR Armitage rules sub set 2017-12-26 01:09:54 +01:00
Florian Roth
36e6757126 False Positive Reduction 2017-12-26 01:09:41 +01:00
Florian Roth
ecc050d96f Lazarus group malware 
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new
 2017-12-21 15:28:16 +01:00
Florian Roth
9b90d0c68c Invoke-PSImage 
https://github.com/peewpw/Invoke-PSImage
 2017-12-19 16:48:16 +01:00
Florian Roth
0214b89061 Disabled global rule to avoid the application in the concatenated rule set 2017-12-19 01:37:49 +01:00
Florian Roth
e58a67f5ad False Positive Reduction 2017-12-19 01:36:08 +01:00
Florian Roth
33560d9876 HatMan Sigs 
https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware
 2017-12-19 01:35:54 +01:00
Florian Roth
05a203dc7b False Positive Reduction 2017-12-17 23:55:33 +01:00
Florian Roth
ef4e347960 Suspicious Autoit by Microsoft 2017-12-16 15:43:56 +01:00
Florian Roth
fef2d161cc APT Triton rule extended with my own rule 2017-12-16 10:47:55 +01:00
Florian Roth
c101ec5ea0 ICS Attack Framework TRITON 
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
 2017-12-14 16:23:43 +01:00
Florian Roth
2dde4ad69a ZXShell Update 2017-12-12 01:00:22 +01:00
Florian Roth
5f17ceeb5e APT xRAT 
http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/
 2017-12-12 01:00:00 +01:00
Florian Roth
c13e07a8b5 False Positive Reduction 2017-12-12 00:59:36 +01:00
Florian Roth
0e26cdfb37 Chrome file size anomaly false positive 2017-12-08 12:19:45 +01:00
Florian Roth
7d90aa1737 APT34 rules 
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
 2017-12-08 12:19:27 +01:00
Florian Roth
ba3802d816 Universal exploit strings 2017-12-06 22:38:09 +01:00
Florian Roth
80c5113b02 Suspicious JS content 2017-12-06 22:37:57 +01:00
Florian Roth
41e0956fdc Remote Admin - tool 2017-12-06 22:37:40 +01:00
Florian Roth
f34bf9d9c8 Reduced false positives with PowerShell casing anomaly rule 2017-11-30 15:13:36 +01:00
Florian Roth
2f9ac3fe8f UBoatRAT 
https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/
 2017-11-30 15:13:21 +01:00
Florian Roth
500e6c2da2 ROKRAT Update 
http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html
 2017-11-29 16:04:36 +01:00
Florian Roth
beb91736c3 Improved CVE 2017 8759 rule 2017-11-28 10:56:48 +01:00
Florian Roth
eaf9756bc9 Greenbug Malware 2017-11-27 16:55:43 +01:00
Florian Roth
7a9d7b9abd APT Turla Neuron 2017-11-25 00:40:07 +01:00
Florian Roth
dc521f581d Fixed OilRig rule - missing pe module 2017-11-24 13:06:18 +01:00
Florian Roth
a6383df158 CVE-2017-11882 by John Davison 2017-11-23 20:33:58 +01:00
Florian Roth
f8f8193249 Typo in ALFA shell rule 2017-11-22 18:15:00 +01:00
Florian Roth
15cbfd9048 New OilRig signature 
https://twitter.com/ClearskySec/status/933280188733018113
 2017-11-22 18:14:50 +01:00
Florian Roth
f11f0b27c1 Malicious lnk file rule 2017-11-22 16:46:31 +01:00
Florian Roth
8515a0b301 Improved description and added note for known false positives 2017-11-22 13:42:44 +01:00
Florian Roth
30610ff120 Webshell FOPO Obfuscation 2017-11-18 20:04:29 +01:00
Florian Roth
6943c01fc2 Alert (TA17-318B) HIDDEN COBRA – Volgmer 
https://www.us-cert.gov/ncas/alerts/TA17-318B
 2017-11-15 21:45:49 +01:00
Florian Roth
b7621bcb99 Alert (TA17-318A) HIDDEN COBRA – FALLCHILL 
https://www.us-cert.gov/ncas/alerts/TA17-318A
 2017-11-15 21:45:10 +01:00
Florian Roth
b187609d40 Reaver and SunOrcal malware 
https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/
 2017-11-12 15:13:38 +01:00
Florian Roth
55868b5eff False Positive Reduction 2017-11-08 18:39:40 +01:00
Florian Roth
5bd15e9651 Bronze Butler Daserf malware 2017-11-08 12:52:38 +01:00
Florian Roth
3795d702b3 CrunchRAT 
https://github.com/t3ntman/CrunchRAT
 2017-11-04 01:57:05 +01:00
Florian Roth
be700a3c42 PowerShell Obfuscated Invoke - PE Loader 2017-11-03 08:28:52 +01:00
Florian Roth
b6522edf1f KeyBoys malware 
http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html
 2017-11-03 08:28:16 +01:00
Florian Roth
f33f0140eb Silence malware 
https://securelist.com/the-silence/83009/
 2017-11-02 09:07:58 +01:00
Florian Roth
6d85ad4e2e Missing "pe" module import in Kasper rule 2017-10-31 12:11:27 +01:00
Florian Roth
1e22089eee Missing "pe" module import in APT28 rule 2017-10-31 11:29:48 +01:00
Florian Roth
8ffdc4c43c Kasper malware update 2017-10-31 10:44:39 +01:00
Florian Roth
49ce0546e9 APT Sofacy Hospitality report malware by CSECybsec 
http://csecybsec.com/download/zlab/APT28_Hospitality_Malware_report.pdf
 2017-10-31 10:44:17 +01:00
Florian Roth
c83cf1a6ed Improved DDE in Office documents rules by NVISO Labs 2017-10-25 23:44:30 +02:00
Florian Roth
957ac24585 BadRabbit ransomware 2017-10-25 08:57:00 +02:00
Florian Roth
e2e253c2f2 APT28 / Sofacy malware 
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
 2017-10-23 16:56:32 +02:00
Florian Roth
b542e0635c Cleanup 2017-10-23 16:54:53 +02:00
Florian Roth
81e2977704 False Positive Reduction 2017-10-23 16:54:34 +02:00
Florian Roth
3947d5adfd Changed wording after quality checks 2017-10-21 19:56:50 +02:00
Florian Roth
bce45632c9 US-CERT TA17-293A - modified YARA rule set 
https://www.us-cert.gov/ncas/alerts/TA17-293A
 2017-10-21 19:53:02 +02:00
Florian Roth
c9a9932b7b Bad Patch report YARA signatures 
https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/
 2017-10-21 16:27:18 +02:00
Florian Roth
43d5b1737f Bugfix in Puppy RAT rule 2017-10-20 09:54:59 +02:00
Florian Roth
8e01421bc4 Leviathan APT - Maritime and Defense Targets 
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
 2017-10-19 09:34:07 +02:00
Florian Roth
32fe1a4906 OilRig YARA rules derived from PaloAltoNetwork reports Sep/Oct 17 2017-10-19 09:29:59 +02:00
Florian Roth
1f8312fad0 Replaced non-ASCII character 2017-10-19 01:17:59 +02:00
Florian Roth
8da0b76701 False Positive Reduction - apply to files only (not memory) 2017-10-18 21:58:57 +02:00
Florian Roth
6f3e4bd79c Activate pe.imphash() expressions in my rules 2017-10-18 21:58:30 +02:00
Florian Roth
2ffd97c1d9 HKDoor Rules by Cylance Inc. 
https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html
 2017-10-18 21:57:37 +02:00
Florian Roth
ae643f78d9 FEIB Report - by BEA systems 
https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html
 2017-10-17 08:31:59 +02:00
Florian Roth
8c994452c4 Improved Reflective Loaders Rule 2017-10-15 10:53:06 +02:00
Florian Roth
04b278d87b Bronze Butler malware 
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
 2017-10-15 10:52:49 +02:00
Florian Roth
568aa89d4f PowerShell Casing Anomaly Adjustments 2017-10-14 23:00:13 +02:00
Florian Roth
3f27b85df6 False Positive Reduction 2017-10-14 12:59:00 +02:00
Florian Roth
430b1b88a2 Saudi Aramco Phishing campaign malware 2017-10-12 09:15:20 +02:00
Florian Roth
96d9ba4858 Results for the DDEAUTO rules are much better 2017-10-11 20:58:16 +02:00
Florian Roth
d3f19e9bf4 Too many false positives 2017-10-11 20:46:16 +02:00
Florian Roth
dca5a3dcf7 Missing PE module imports, minor changes 2017-10-11 18:43:19 +02:00
Florian Roth
ae9f920a2a Reduced score due to possible false positives 2017-10-11 16:21:43 +02:00
Florian Roth
364da99da5 Decting DDE in Office Docs - Sigs by NVISO Labs 
https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
 2017-10-11 14:10:38 +02:00
Florian Roth
adf95a4396 Combined PS Anomaly rules to a single rule 2017-10-11 10:37:33 +02:00
Florian Roth
30f2d84d53 PS Anomaly - New version missed other positives / including both versions 2017-10-11 10:13:10 +02:00
Florian Roth
12ea6bc9bf Backdoor Snarasite 2017-10-08 00:14:03 +02:00
Florian Roth
3aad0049ec Backdoor Banker Corkow 
https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf
 2017-10-08 00:13:52 +02:00
Florian Roth
5c889db4a9 FreeMilk YARA rules bugfix - thx to M. Selck 2017-10-06 23:54:13 +02:00
Florian Roth
97c97a803c Uncommon size adjustments for new Win10 files 2017-10-06 10:19:51 +02:00
Florian Roth
dbec537768 FreeMilk APT - Palo Alto Networks Report 
https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/
 2017-10-05 20:42:55 +02:00
Florian Roth
3560d720f7 URL file pointing to local EXE 2017-10-04 14:42:34 +02:00
Florian Roth
f44c9b9fcb PowerShell improved casing anomaly rule, WScript anomaly rule 2017-10-03 19:36:54 +02:00
Florian Roth
354ea043bb Hacktool RedSails 
https://github.com/BeetleChunks/redsails
 2017-10-03 19:36:17 +02:00
Florian Roth
3ea15953b9 WinDivert Driver - PUA: User mode packet capturing driver 2017-10-03 19:35:49 +02:00
Florian Roth
2b6cc72f64 CMSTAR Malware 
https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/
 2017-10-03 19:35:15 +02:00
Florian Roth
8574935d17 APT17 Malware September 2017 
http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/
 2017-10-03 19:34:53 +02:00
Florian Roth
1d8093a9de New suspicious PowerShell scripts 2017-10-01 00:24:31 +02:00
Florian Roth
8b3a138995 Minor changes to rule FP exclusions 2017-09-29 08:47:22 +02:00
Florian Roth
f15d1fef2a Xtreme RAT Sigs 2017-09-29 08:46:42 +02:00
Florian Roth
ae82dd03a8 False Positive Reduction 2017-09-27 16:35:14 +02:00
Florian Roth
c5737c7c37 Microcin YARA rules 
derived from samples in report https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf
 2017-09-27 16:34:34 +02:00
Florian Roth
78ff581ede Removed false positive rule 2017-09-27 16:34:24 +02:00
Florian Roth
558c99efc0 Invoke-Metasploit 2017-09-24 10:22:19 +02:00
Florian Roth
5226344c35 Sharpire 2017-09-24 10:22:09 +02:00
Florian Roth
dde5dd8bce Webshell Alfa Shell 2017-09-22 08:44:03 +02:00
Florian Roth
b0e79303e0 False Positive Reduction 2017-09-21 08:36:25 +02:00
Florian Roth
bf93fe559b Improved Exploits CVE-2017-8759 2017-09-16 08:34:51 +02:00
Florian Roth
a2f765d1da Corrected wording 2017-09-15 20:25:23 +02:00
Florian Roth
cb99556460 Exploits CVE-2017-8759 2017-09-15 20:23:51 +02:00
Florian Roth
244a922e70 False Positive Reduction 2017-09-15 11:30:03 +02:00
Florian Roth
81fc855b66 False Positive Reduction 2017-09-13 10:45:55 +02:00
Florian Roth
ae5e596f68 DragonFly APT 2017-09-12 08:22:07 +02:00
Florian Roth
2466c47263 PowerShell Case Anomalies 2017-09-12 00:19:38 +02:00
Florian Roth
5206ded7d1 False Positive Reduction 2017-09-12 00:19:09 +02:00
Florian Roth
da83b52200 Rehashed RAT 2017-09-10 00:29:29 +02:00
Florian Roth
85e98c2c1f Monsoon APT 2017-09-10 00:29:17 +02:00
Florian Roth
89e8fd8fcb Revenge RAT 2017-09-05 10:42:59 +02:00
Florian Roth
40d6afcc13 APT Turla Gazer 
https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
 2017-09-02 08:26:07 +02:00
Florian Roth
8077fe850d KHRAT malware update with scripts 2017-09-01 09:12:45 +02:00
Florian Roth
e748094282 KHRAT 2017-08-31 22:20:17 +02:00
Florian Roth
d2f0457c9a False Positive 'Tools_termsrv' 2017-08-31 22:19:14 +02:00
Florian Roth
c7dc0ceae4 APT12 Malware 2017-08-30 20:19:40 +02:00
Florian Roth
c387cbecf7 Reduced false positives 2017-08-30 20:19:25 +02:00
Florian Roth
d3a90dfd17 Improved certutil rule 2017-08-30 20:19:09 +02:00
Florian Roth
76ebe6c67b Suspicious JS Run 2017-08-30 20:18:55 +02:00
Florian Roth
4c6377ae9a Changed tabs to spaces 2017-08-30 20:11:15 +02:00
Florian Roth
194e8b9d74 thor-hacktools.yar - some cherry picked rules 2017-08-30 20:11:00 +02:00
Florian Roth
9c5b1b1863 Malware used in South Korean campaign 
https://twitter.com/eyalsela/status/900248754091167744
 2017-08-23 13:21:56 +02:00
Florian Roth
2169ca69dc ShadowPad new Imphash 2017-08-23 13:21:21 +02:00
Florian Roth
cec8e3db5f Suspicious script running from http/https 2017-08-23 13:21:09 +02:00
Florian Roth
d7e3185df4 Tick Datper 
http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html
 2017-08-21 17:20:01 +02:00
Florian Roth
43d129b336 PowerShdll 2017-08-21 15:03:29 +02:00
Florian Roth
737943f40c More reflective DLL loaders 2017-08-20 12:06:08 +02:00
Florian Roth
c59a0b1e80 CHAOS Payload 2017-08-18 00:58:33 +02:00
Florian Roth
64e17301ae ShadowPad malicious nssock2.dll 
https://securelist.com/shadowpad-in-corporate-networks/81432/
 2017-08-15 21:12:57 +02:00
Florian Roth
b0be3141d8 Adjusted build options in make file to yara-python, rule renamed 2017-08-15 20:30:28 +02:00
Florian Roth
2444eb6d8f Pupy RAT Generic Rule 2017-08-12 21:48:18 +02:00
Florian Roth
f57c5e56ec Cobalt Strike CN group dropper, CobaltGang malware 2017-08-12 09:08:32 +02:00
Florian Roth
3be35fc5ba Improved ReflectiveLoader rule 2017-08-12 09:04:42 +02:00
Florian Roth
2091087567 Updated hacktool producers 2017-08-11 16:47:20 +02:00
Florian Roth
f3961c6c2c Disabled rule using feature that isn't available in prebuild YARA 3.5.0 2017-08-11 16:00:29 +02:00
Florian Roth
1ae31addcb CVE-2017-9800 exploit 2017-08-11 14:03:24 +02:00
Florian Roth
c9a80a958c False Positive Reduction 2017-08-07 17:57:35 +02:00
Florian Roth
e89c558936 Agent.BTZ 
http://www.intezer.com/new-variants-of-agent-btz-comrat-found/
 2017-08-07 15:16:22 +02:00
Florian Roth
d85c1108ef Impacket Generic Rule 2017-08-07 14:52:45 +02:00
Florian Roth
28e5995c27 FIN7 Backdoor 
https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor
 2017-08-07 14:32:33 +02:00
Florian Roth
d85a7422a9 False Positive Reduction 2017-08-07 12:47:13 +02:00
Florian Roth
d4d10331a9 Zeus Panda 2017-08-05 14:54:13 +02:00
Florian Roth
c62209983b Foudre Malware (Infy) 
https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/
 2017-08-02 08:43:10 +02:00
Florian Roth
6243ca31f6 avdapp.dll False Positive 2017-08-01 16:21:57 +02:00
Florian Roth
ba25f2e452 Malware Unspecified 2017-08-01 14:01:53 +02:00
Florian Roth
6f7c4d9459 CactusTorch Rule 2017-07-31 14:52:02 +02:00
Florian Roth
7917b639bf Improved ReflectiveLoader Rule 2017-07-31 14:51:46 +02:00
Florian Roth
1a062a5f18 False Positive Reduction 2017-07-30 11:54:03 +02:00
Florian Roth
3d52e22109 AllTheThings 2017-07-29 13:35:07 +02:00
Florian Roth
5e8d5add05 PowerShell Empire Mods Eval 2017-07-29 13:34:49 +02:00
Florian Roth
4c5e50e9f1 MyWScript Dropper 2017-07-29 13:34:37 +02:00
Florian Roth
a8f6bb60f1 False Positive Reduction 2017-07-29 13:34:21 +02:00
Florian Roth
ffed1820f5 Reflective Loader rule extended 2017-07-26 03:59:31 +02:00
Florian Roth
c5b5414fd6 Wilted Tulip YARA Signatures 2017-07-25 15:24:20 +02:00
Florian Roth
2e6351ca48 Removed duplicate Invoke-Mimikatz 2017-07-23 10:15:49 -06:00
Florian Roth
f8447db7e9 Invoke Mimikatz and Kekeo update 2017-07-22 07:57:58 -06:00
Florian Roth
05ee5af114 Bugfix in Rule 2017-07-20 12:27:16 -06:00
Florian Roth
1f0cad89f1 Bugfixes and False Positive Reduction 2017-07-20 12:24:49 -06:00
Florian Roth
f349e2df17 PS AMSI Bypass, JS Obfuscation/Dropbox, MSHTA Bypass 2017-07-19 19:50:59 -06:00
Florian Roth
b98ad7989d Renamed rule 2017-07-19 19:50:26 -06:00
Florian Roth
0e05adc80d Exploit code CVE-2015-2545 2017-07-19 19:47:39 -06:00
Florian Roth
990e20e3b6 Mimikatz Rules synct, SecurityXploded rule 2017-07-19 19:09:25 -06:00
Florian Roth
a5c774788c POSHSPY malware 2017-07-19 11:40:16 -06:00
Florian Roth
bfd2d404dc Merge pull request #17 from wesdawg/patch-1 
WildNeutron False Positive Fix
 2017-07-19 10:18:24 -06:00
Florian Roth
b4b45111a8 Unspecified Malware Jul17 2C 2017-07-19 10:17:25 -06:00
Florian Roth
2ee1f0fae8 LSASS Dump only if not filename starts with WER 2017-07-19 10:17:00 -06:00
Florian Roth
9146e905b3 Identified unspecified malware as Sality 2017-07-19 10:16:32 -06:00
wesdawg
e657e23aed Remove chickenkiller domain string 
chickenkiller is dynamic DNS, not WildNeutron specific.
 2017-07-18 16:46:58 -04:00
Florian Roth
ccac0893d8 Disclosed Disclosed 0day POC set 2017-07-13 08:36:43 -06:00