valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
941 Commits 2 Branches 1 Tag 33 MiB
9e051bd768
Commit Graph

941 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
6dd31e254c New MuddyWater signature 2018-06-13 13:34:58 +02:00
Florian Roth
4a4a94fc9c Rules prone to false positives on process memory to "file" only 2018-06-13 08:30:02 +02:00
Florian Roth
c0bd89425d False Positive Reduction 2018-06-10 20:16:00 +02:00
Florian Roth
c42709fe0d BluenoroffPoS DLL 
http://blog.trex.re.kr/
 2018-06-08 21:12:24 +02:00
Florian Roth
7900b0b69a QRAT filename IOCs 2018-06-08 21:11:50 +02:00
Florian Roth
be2315b3cf False Positive Reduction 2018-06-08 21:11:39 +02:00
Florian Roth
8f48aa959b APT Lazarus RAT & Dropper 
https://twitter.com/DrunkBinary/status/1002587521073721346
 2018-06-03 00:28:59 +02:00
Florian Roth
55aa4639d2 TA18-149A YARA signatures 
https://www.us-cert.gov/ncas/alerts/TA18-149A
 2018-06-01 09:25:27 +02:00
Florian Roth
077384492c Updated BadPDF rule 2018-05-29 14:22:41 +02:00
Florian Roth
7453558356 False Positive Hash 2018-05-29 14:22:28 +02:00
Florian Roth
cc63f0b120 File names found in Alina PoS malware 2018-05-29 14:22:08 +02:00
Florian Roth
3596fea85a False Positive Reduction 2018-05-24 16:12:52 +02:00
Florian Roth
c9296e7ca8 VPNFilter YARA rules 2018-05-24 16:12:37 +02:00
Florian Roth
ee986a7e7b Bugfix - missing "pe" 2018-05-20 19:41:00 +02:00
Florian Roth
9f3067d594 Floxif / FlyStudio malware 2018-05-20 18:49:45 +02:00
Florian Roth
0838bfff7d Hacktool ShellPop shells 2018-05-20 18:49:45 +02:00
Florian Roth
ae1bd7b7ea Suspicious LNK file with path traversal like relative path 2018-05-20 18:49:45 +02:00
Florian Roth
4671958b12 Suspicious LNK file with reference to AppData Roaming 2018-05-20 18:49:45 +02:00
Florian Roth
da89105ae5 Another Microsoft Copyright Anomaly 2018-05-20 18:49:45 +02:00
Florian Roth
a06dae24aa Renamed Rule 2018-05-20 18:49:45 +02:00
Florian Roth
abad2025a7 Patchwork hash IOCs 2018-05-20 18:49:45 +02:00
Florian Roth
642cc04bb0 False Positive Reduction 2018-05-20 18:49:45 +02:00
Florian Roth
43beb0f7fb
Merge pull request #35 from r00t0vi4/patch-1 
Update generic_anomalies.yar
 2018-05-08 13:53:37 +02:00
r00t0vi4
7e95136760
Update generic_anomalies.yar 
Replace external variable "filetype" with hex 0x4749463839 (GIF89). 
It's a simplifies rules. You are using external variable "filetype" only in this place.
 2018-05-07 15:17:14 +03:00
Florian Roth
c595b47958 Winnti Burning Umbrella 
https://401trg.pw/burning-umbrella/
 2018-05-05 11:43:11 +02:00
Florian Roth
1f58d867d4 Turla Signature 2018-05-04 00:30:10 +02:00
Florian Roth
08385bc71d Bad PDF 
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
 2018-05-03 16:02:46 +02:00
Florian Roth
d8d0a753f1 Ocean Lotus Report by Tencent 
https://s.tencent.com/research/report/471.html
 2018-05-03 10:42:28 +02:00
Florian Roth
defc966d74 Fancy Bear Lojack Double Agent Hashes & YARA rule 
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
 2018-05-02 10:41:35 +02:00
Florian Roth
cc376073cc APT10 Hogfish Redleaves 2018-05-02 08:04:26 +02:00
Florian Roth
525c25703c Hogfish Redleaves Threat Analysis 
https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf
 2018-05-01 21:19:04 +02:00
Florian Roth
f77db67203 Malicious sample filename IOCs 2018-05-01 21:18:33 +02:00
Florian Roth
bd26c9226e Lazagne PW Dumper 2018-05-01 21:18:10 +02:00
Florian Roth
2b122abd9b Another YARA rule for CVE-2017-11882 detection 2018-05-01 21:17:24 +02:00
Florian Roth
fa605df675 False Positive Reduction 2018-05-01 21:17:00 +02:00
Florian Roth
c2e12db40c HScan False Positive 2018-04-26 23:19:47 +02:00
Florian Roth
b396038d14 Process Injector Generic 2018-04-26 23:19:35 +02:00
Florian Roth
abdc494d13 False Positive Reduction 2018-04-26 23:19:13 +02:00
Florian Roth
78ce62d33f Sednit Delphi Downloader 
https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
 2018-04-26 23:18:46 +02:00
Florian Roth
f7da02c0f3 Kwampirs malware 
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
 2018-04-24 11:29:01 +02:00
Florian Roth
8d6d3b36ae GrandCrab malware 2018-04-24 11:22:46 +02:00
Florian Roth
b2448ab324 Orange Work IOCs 
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
 2018-04-23 19:31:39 +02:00
Florian Roth
d4c0cb4488 Energetic Bear Hash IOCs 2018-04-23 19:31:39 +02:00
Florian Roth
7a7181975f NCCGroup Ghost RAT report 
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/
 2018-04-23 19:31:39 +02:00
Florian Roth
8424575572
Merge pull request #33 from yt0ng/signature-base-yt0ng 
added winnti Mozilla Kingsoft Confusion in PE Metadata
 2018-04-16 08:11:03 +02:00
Florian Roth
06067a7399
Slightly modified - and QA tested 2018-04-16 07:58:13 +02:00
Florian Roth
a4ecbf4410 WebMonitor RAT 
https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/
 2018-04-16 07:51:01 +02:00
yt0ng
edb7390a48 added winnti Mozilla Kingsoft Confusion in PE Metadata 2018-04-15 09:46:48 +02:00
Florian Roth
70037ba67e PowerShell JAB rule 2018-04-14 11:56:12 +02:00
Florian Roth
e0245230c3 Renamed rule to avoid problems with updated LOKI versions 2018-04-14 11:55:57 +02:00