valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
941 Commits 2 Branches 1 Tag 33 MiB
9e051bd768
Commit Graph

941 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
615b9a117e Updated GIF cloaked webshell rule 2018-04-13 11:34:48 +02:00
Florian Roth
7cec4f0426 Carbanak IOC FP with 7z.exe 2018-04-13 08:32:02 +02:00
Florian Roth
4ca62a2556 Turla Agent.BTZ 2018-04-12 19:42:29 +02:00
Florian Roth
b1641ee954 New and modified filename IOCs 2018-04-12 19:41:54 +02:00
Florian Roth
5b2c2b58d9 Cosmetics 2018-04-11 23:51:43 +02:00
Florian Roth
f2f9956fbb New hacktool signatures 2018-04-11 23:51:43 +02:00
Florian Roth
c1b50600c1 Rule improvements 2018-04-11 23:51:43 +02:00
Florian Roth
35f521e91e
Merge pull request #32 from yt0ng/signature-base-yt0ng 
added Turla Kazuar RAT described by DrunkBinary
 2018-04-09 15:29:49 +02:00
yt0ng
b6c6e60681 added Turla Kazuar RAT described by DrunkBinary 2018-04-09 14:22:36 +02:00
Florian Roth
da310446fe Generic PowerShell rule for code the uses Kernel32 / write remote process memory 2018-04-06 12:45:37 +02:00
Florian Roth
bb8fe2cdf4 Revised YARA sigs from NCSC report 
https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
 2018-04-06 12:45:37 +02:00
Florian Roth
68f98c8775 CVE-2014-4076 exploit code 2018-04-06 12:45:37 +02:00
Florian Roth
4e57b9f856 Renamed rule 2018-04-06 12:45:37 +02:00
Florian Roth
31d072c72b Filename IOCs PrivEsc tools 2018-04-06 12:45:37 +02:00
Florian Roth
44b2424435 False Positive Reduction 2018-04-06 12:45:37 +02:00
Florian Roth
ef5550d6c4
Merge pull request #31 from JohnLaTwC/patch-5 
Update gen_unicorn_obfuscated_powershell.yar
 2018-04-03 15:35:31 +02:00
Florian Roth
05f65d6592
Performance optimization 2018-04-03 15:30:23 +02:00
John Lambert
28bd891428
Update gen_unicorn_obfuscated_powershell.yar 
Tweak rule for optional paren
 2018-04-03 06:23:50 -07:00
John Lambert
30f914e71d
Update gen_unicorn_obfuscated_powershell.yar 
add support for alternative switches (i.e. -w and /w) and paren block on payload. Found in VT sample 1afb9795cb489abce39f685a420147a2875303a07c32bf7eec398125300a460b
 2018-04-03 06:17:48 -07:00
Florian Roth
4263292a16 Hidden Cobra Wiper 
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
 2018-03-28 19:57:12 +02:00
Florian Roth
364b2abdcd
Merge pull request #30 from JohnLaTwC/patch-5 
update for VT uploads that include the POST header
 2018-03-28 15:00:11 +02:00
John Lambert
df49f01006
update for VT uploads that include the POST header 
came across submissions (7d5819a2ea62376e24f0dd3cf5466d97bbbf4f5f730eb9302307154b363967ea, 2a69e46094d0fef2b3ffcab73086c16a10b517f58e0c1f743ece4f246889962b) with a header such as:
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 90.147.64.54:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>...
 2018-03-28 05:31:01 -07:00
Florian Roth
2d4a023211 Updated Keyboy malware rules 2018-03-28 11:28:38 +02:00
Florian Roth
5a5268e3db Suspicious Keylogger / Backdoor PDB strings 2018-03-28 11:27:53 +02:00
Florian Roth
d89fda03fe Improved Impacket rules 2018-03-28 11:27:18 +02:00
Florian Roth
29dc390b2b OilRig / Chafer YARA Rules 
https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 2018-03-23 08:43:43 +01:00
Florian Roth
89eb1aaed2 Added .yar extension to weblogic exploit rule 2018-03-22 00:19:09 +01:00
Florian Roth
525bb2d361 False Positive Reduction 2018-03-22 00:17:41 +01:00
Florian Roth
e7149067b5
Merge pull request #29 from JohnLaTwC/patch-4 
detect Oracle Weblogic exploit CVE-2017-10271
 2018-03-22 00:16:31 +01:00
John Lambert
f6fef3e296
detect Oracle Weblogic exploit CVE-2017-10271 
Performed a retrohunt. 3 matches came back--all true positives:
20f5a6b4915d51c36b1e2fa77da7f75c44b07697b717ef733deba86d7c57b09a
376c2bc11d4c366ad4f6fecffc0bea8b195e680b4c52a48d85a8d3f9fab01c95
864e9d8904941fae90ddd10eb03d998f85707dc2faff80cba2e365a64e830e1d/subfile
 2018-03-21 14:06:07 -07:00
Florian Roth
1e2fb32e11 Removed rule - prone to false positives 2018-03-20 15:15:28 +01:00
Florian Roth
2b845847fc Bugfix in TA18-074A webshell rule 2018-03-17 11:18:13 +01:00
Florian Roth
59aaf36901 TEMP.Persicope hash IOCs 2018-03-16 23:23:02 +01:00
Florian Roth
a6e46b9b4a TA18-074A filename IOCs 2018-03-16 23:22:44 +01:00
Florian Roth
0cef4b1890 Revised YARA rules of TA18-074A 2018-03-16 23:22:20 +01:00
Florian Roth
892b159c00 First commit of TA18-074A rules 2018-03-16 16:32:11 +01:00
Florian Roth
d37c5f6b98 False Positive 
https://github.com/Neo23x0/Loki/issues/101#issuecomment-373337359
 2018-03-15 12:36:37 +01:00
Florian Roth
65d45e5638 Fixed false positives in Slingshot APT sigs 2018-03-12 15:26:00 +01:00
Florian Roth
5334216f73 Prone to false positives 
https://www.virustotal.com/en/file/8e928dc79b4dd5695b1b3fcd4592b7179c2e2857a82d325d49237977636b21d2/analysis/
 2018-03-12 14:56:19 +01:00
Florian Roth
2ce3e0bbaf Fix to avoid too many false positives 2018-03-12 14:49:03 +01:00
Florian Roth
117270469f Moved all rules that use ext vars to a new rule set 2018-03-12 13:47:40 +01:00
Florian Roth
ff9c4850c5
Updated README - YARA rules with external vars 2018-03-12 13:44:40 +01:00
Florian Roth
3018b8b551 Extended the APT15 rules by NCCGroups rules (revised) 
https://github.com/nccgroup/Royal_APT/blob/master/signatures/apt15.yara
 2018-03-12 12:55:33 +01:00
Florian Roth
07b44fe78a APT15 YARA signatures 
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
 2018-03-12 09:40:31 +01:00
Florian Roth
125a220411 Slingshot APT YARA signatures 
https://securelist.com/apt-slingshot/84312/
 2018-03-10 12:20:04 +01:00
Florian Roth
9f06d34539 Slingshot APT file hashes 
https://securelist.com/apt-slingshot/84312/
 2018-03-09 16:58:04 +01:00
Florian Roth
3fe8f66d3b Bigfix: missing "pe" import 2018-03-09 15:35:38 +01:00
Florian Roth
d99e4b859e NSA’s perspective on APT landscape - file name IOCs 
https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
 2018-03-09 15:30:19 +01:00
Florian Roth
9c5765484d DonotTeam YTYFramework YARA sig 
https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/
 2018-03-09 15:29:45 +01:00
Florian Roth
b031d55469 Crimson RAT 2018-03-08 18:56:38 +01:00