valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
941 Commits 2 Branches 1 Tag 33 MiB
9e051bd768
Commit Graph

941 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
cecd779892 Updated generic dump files : gesecdump output 2018-03-08 18:48:55 +01:00
Florian Roth
b0f6890de1 TSCookie RAT 2018-03-08 18:48:55 +01:00
Florian Roth
9152a81c7e
Merge pull request #27 from JohnLaTwC/patch-3 
finds powershell commands obfuscated by unicorn
 2018-03-08 18:26:22 +01:00
Florian Roth
62ff9d53f5
PowerShell payload obfuscated by Unicorn toolkit 2018-03-08 18:24:10 +01:00
JohnLaTwC
70c1a24de4
finds powershell commands obfuscated by unicorn 
I see unicorn samples uploaded to VT a few times a day. Here is a rule for it. 
Unicorn toolkit: https://github.com/trustedsec/unicorn/

Example hashes:
14c708d8577eafc56fa8af4d45aaedfbba185aee6ffc22650b2b5b4a58c6ae0f
19c8d44fe80cfbd61e30f9aeef3f7433473e6ae66d7b2e26bae22ed9b338a755
1f1990d08ae6ac2480e2ba4fcc4f00105aa2eb8606fa5b23be450922a705a637
211c690cded91446b43ec2bd89a8071df8b96442b3fa9762a91945c8987996db
4b877196a90b2ad62fe795fff63d36742d9099ae677fe5e44ef47e6a9919adc4
5239c2de70c82b70ce3dac0669b4b4ec95b5d5fd0286bad8e3ec960217e20627

Also https://twitter.com/JohnLaTwC/status/971536587388407809
 2018-03-07 17:29:36 -08:00
Florian Roth
37ccc0a471
Merge pull request #26 from JohnLaTwC/patch-2 
yara rule for encoded python payloads for adware
 2018-03-07 23:07:08 +01:00
JohnLaTwC
7cab502150
yara rule for encoded python payloads for adware 
Ran it through a retrohunt earlier and has good true positive track record in VT.  Very interesting python samples that it is a part of.
 2018-03-07 08:45:57 -08:00
Florian Roth
5110a57cd5 Minor changes: performance reasons, reference, hashes split up 2018-03-05 15:41:51 +01:00
Florian Roth
7c4b9b1725
Merge pull request #24 from JohnLaTwC/patch-1 
generic python reverse shell
 2018-03-05 15:36:05 +01:00
Florian Roth
27442f03b0 Operation Honey Bee Malware YARA sigs 
https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
 2018-03-03 16:12:34 +01:00
Florian Roth
77281d4ea2 Generic dropper PDB string 2018-03-03 12:15:31 +01:00
Florian Roth
0b21871f52 IceFog malware 
https://twitter.com/ClearskySec/status/968104465818669057
 2018-03-03 10:15:24 +01:00
Florian Roth
51f7b978a1 FinFisher IOCs 2018-03-02 17:04:34 +01:00
Florian Roth
e9eac4fdc6
Merge pull request #25 from jantdm/patch-1 
Link broken
 2018-03-02 13:46:54 +01:00
Florian Roth
c41806f2cf False Positive Reduction 2018-03-01 19:13:20 +01:00
Florian Roth
aefa8e8af7 Bugfix and extended Sofacy rule 2018-03-01 09:34:03 +01:00
Florian Roth
4bdcf3c64b Sofacy IOCs and YARA signature 2018-03-01 09:29:57 +01:00
Florian Roth
c6807a024d Dumper False Positive Reduction 2018-03-01 09:29:35 +01:00
Jan Tiedemann
786fe0bffb
Link broken 
Link to DCSO Apache Struts Vulns was broken (https://goo.gl/t4FKT5). Fixed that for you (https://goo.gl/7jGkpV).
 2018-02-28 20:44:59 +01:00
Florian Roth
9fca4d3b9c Fixed OTX IOCs / getall() retrieved IOCs from authors I wasn't subscribed to 2018-02-28 08:25:05 +01:00
Florian Roth
3a7554d535 MuddyWater Doc Dropper 2018-02-27 09:54:05 +01:00
JohnLaTwC
865ac9ce04
generic python reverse shell 
seen in:
1b97cb64e9be8db9d5e959d183f4c5469f7eafab0e34198be784f2e54a9cc768
22b33d5f2028eff3b11a68c8971cfcc6b57509efecf0af7ac6f9aa33e3929f93
25bd4762908751d19b4d27479470cb442319a1419af559bc5c31b83bece20ad4
26b8b960f08fea6d9f18a7ff7a44f46c90972d0fd48332ea90c32f8293266088
528bf356946abd82ce4639e1f66bd71bbad2fadfc83df1c4ff92ffd61e5e8a2c
5eb14f86ab101c5b78d8397a89e7c5a775464565dc5ed6af30eef14f264e0a62
640c80a36f387026871aa2d5e8447f990ec5b18395eb46f453c4215aee0d1846
6623f7f5a326c932ea893419509eac8c243363fea5eadbb940da0d3f949c79a6
6ca26484201218eb0352ce50f1937ec84f09f5187b882c23d2c9a67015d6aedb
743b5192bfe88e67dd1d2259a3ce5b02250b47fefa01274a88eb063a4746b378
b42309e69b8066bdb54faf425d19f5c84e5a00959e641609590cd6607a4601d6
b4e7f9a84ba3ad5f88ced24b43f5ba9bcc98976c45ae74b3e8c47921590e27f7
b8fd4dfe91708511ca87a83b3ee97da0dd4b5cc1e106e2ea6cb93ccddd3b7b17
bfb5c622a3352bb71b86df81c45ccefaa68b9f7cc0a3577e8013aad951308f12
c365c6d27f04637804f4d28c5aa5166342db1aa8712d94488bc518a21f408f53
f3b443d83488c35d5c11ff9eda98d460bf650071235561d3290f7f25c4c76405
fadb468f0324666a4b8eeb3bb499e84b11daa32efac2ae8ccaddf3941c5e25b1
 2018-02-24 14:52:23 -08:00
Florian Roth
3ed59d8f58 False Positive WinPcap 2018-02-24 21:41:10 +01:00
Florian Roth
d85ae13956 OSX malware by @JohnLaTwC 
https://ghostbin.com/paste/mz5nf
 2018-02-24 10:08:40 +01:00
Florian Roth
328024dfd0 Turla Mosquito YARA Sigs 
https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf
 2018-02-23 11:50:35 +01:00
Florian Roth
8c2e553b72 Turla Mosquito Filename IOCs 2018-02-23 09:08:45 +01:00
Florian Roth
41e27b5786 False Positive 2018-02-22 10:35:09 +01:00
Florian Roth
5741438d48 Wscript.Shell rule false positive reduction 2018-02-20 20:12:00 +01:00
Florian Roth
2bdfedfd1a NanoCore RAT update 2018-02-20 20:11:09 +01:00
Florian Roth
4bc10e04b4 False Posiitives 2018-02-19 14:40:39 +01:00
Florian Roth
2a46ed46e6 False Positives 2018-02-19 14:36:50 +01:00
Florian Roth
1cd914cb2b New format not yet ready 2018-02-15 20:53:15 +01:00
Florian Roth
3d116ff009 False Positive Reduction 2018-02-15 17:08:17 +01:00
Florian Roth
898deba325 Loki Bot and Dropper (Feb variant) 2018-02-15 17:08:01 +01:00
Florian Roth
1af4d4347c New CVE-2017-11882 detection rule 2018-02-14 08:51:45 +01:00
Florian Roth
c1360521b4 VBS Obfuscator 2018-02-13 16:20:16 +01:00
Florian Roth
3001100959 OTX update with new whitelist 2018-02-13 12:07:33 +01:00
Florian Roth
86c1b41459 Reworked hash whitelist 2018-02-13 11:53:30 +01:00
Florian Roth
c95a25cc72 Removed 0 byte file hashes 2018-02-13 11:36:21 +01:00
Florian Roth
1a0e093f37 OTX update 2018-02-13 08:30:41 +01:00
Florian Roth
351b5e4c17 Modified Olympic Destroyer rule - made rule 1 a generic rule 2018-02-13 08:29:38 +01:00
Florian Roth
b64222c853 Whitelisted problematic filename in OTX 2018-02-13 08:29:01 +01:00
Florian Roth
36f88a932f Removed filename IOC that caused problem 2018-02-12 22:03:15 +01:00
Florian Roth
5321485d2a Olympic Destroyer 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 21:54:21 +01:00
Florian Roth
46d21154ca HawkEye keylogger variant rule 2018-02-12 18:22:30 +01:00
Florian Roth
c7f3f6ff41 OTX Feed Update 2018-02-12 18:22:06 +01:00
Florian Roth
699b322d89 CN disclosed malware repo - NjRAT 
https://twitter.com/cyberintproject/status/961714165550342146
 2018-02-09 10:04:27 +01:00
Florian Roth
e71703c8d0 WScript PowerShell Combo 2018-02-08 23:03:23 +01:00
Florian Roth
b1924d6cde False Positive Reduction 2018-02-08 22:59:08 +01:00
Florian Roth
308861a508 Middle Eastern Campaign - Talos Report - Filename IOCs 2018-02-08 22:58:53 +01:00