valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
772 Commits 2 Branches 1 Tag 33 MiB
a30f16f056
Commit Graph

578 Commits

Author SHA1 Message Date
Florian Roth
a30f16f056 False Positive Reduction 2018-08-21 10:58:45 +02:00
Florian Roth
9020d1f005 More HiddenCobra rules 
https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
 2018-08-13 16:27:03 +02:00
Florian Roth
1ee9142dc5 Improved certificate payload rule 2018-08-02 15:47:42 +02:00
Florian Roth
62400d7324 fix: missing import "pe" statement 2018-08-02 12:20:24 +02:00
Florian Roth
5141e33893 YARA rules for sample in FireEye's FIN7 report 
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
 2018-08-02 12:15:01 +02:00
Florian Roth
1ba9e9f57f DarkHydrus YARA rules 2018-08-02 11:51:03 +02:00
Florian Roth
3e9a1a5579 Certificate Payloads 2018-08-02 11:50:29 +02:00
Florian Roth
9bdccc2360 Hacktools: BeRoot, PDF Embedded Mal Code 2018-07-27 13:25:10 +02:00
Florian Roth
0cd91f3afe FancyBear MacOS Agent 2018-07-16 11:44:59 -06:00
Florian Roth
1bea712d70 False Positive Reduction 2018-07-16 11:44:41 -06:00
Florian Roth
24a899602e fix: Added missing import statement for "pe" module 2018-07-14 08:06:35 -06:00
Florian Roth
af76f26aa3 Big Bang report by Check Point 
https://research.checkpoint.com/apt-attack-middle-east-big-bang/
 2018-07-14 07:58:52 -06:00
Florian Roth
e6d6825c94 Monero miner update 2018-07-06 16:07:00 -06:00
Florian Roth
c2634bfa23 APT Rancor 
https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/
 2018-06-27 07:57:03 +02:00
Florian Roth
4122386cba Limited Cloud Hopper Rule 2018-06-25 10:57:21 +02:00
Florian Roth
93f62d8300 Hacktool PowerSploit Dropper 2018-06-24 22:44:28 +02:00
Florian Roth
5f87e74c00 Tick Weaponized USB 2018-06-24 22:44:11 +02:00
Florian Roth
1c41cd5d16 APT Thrip 
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
 2018-06-22 00:01:47 +02:00
Florian Roth
04a5426a14 Minor changes and adjustments 2018-06-22 00:00:14 +02:00
Florian Roth
c835b3a58c PLEAD Downloader 2018-06-16 17:40:31 +02:00
Florian Roth
3b25bd8a05 AR18-165 YARA rules 2018-06-16 17:40:18 +02:00
Florian Roth
e53539d7e4 Turla Agent.BTZ 2018-06-16 17:39:25 +02:00
Florian Roth
edfdb48bdc Score adjusted 2018-06-13 13:37:06 +02:00
Florian Roth
6dd31e254c New MuddyWater signature 2018-06-13 13:34:58 +02:00
Florian Roth
4a4a94fc9c Rules prone to false positives on process memory to "file" only 2018-06-13 08:30:02 +02:00
Florian Roth
c42709fe0d BluenoroffPoS DLL 
http://blog.trex.re.kr/
 2018-06-08 21:12:24 +02:00
Florian Roth
be2315b3cf False Positive Reduction 2018-06-08 21:11:39 +02:00
Florian Roth
8f48aa959b APT Lazarus RAT & Dropper 
https://twitter.com/DrunkBinary/status/1002587521073721346
 2018-06-03 00:28:59 +02:00
Florian Roth
55aa4639d2 TA18-149A YARA signatures 
https://www.us-cert.gov/ncas/alerts/TA18-149A
 2018-06-01 09:25:27 +02:00
Florian Roth
077384492c Updated BadPDF rule 2018-05-29 14:22:41 +02:00
Florian Roth
3596fea85a False Positive Reduction 2018-05-24 16:12:52 +02:00
Florian Roth
c9296e7ca8 VPNFilter YARA rules 2018-05-24 16:12:37 +02:00
Florian Roth
ee986a7e7b Bugfix - missing "pe" 2018-05-20 19:41:00 +02:00
Florian Roth
9f3067d594 Floxif / FlyStudio malware 2018-05-20 18:49:45 +02:00
Florian Roth
0838bfff7d Hacktool ShellPop shells 2018-05-20 18:49:45 +02:00
Florian Roth
ae1bd7b7ea Suspicious LNK file with path traversal like relative path 2018-05-20 18:49:45 +02:00
Florian Roth
4671958b12 Suspicious LNK file with reference to AppData Roaming 2018-05-20 18:49:45 +02:00
Florian Roth
da89105ae5 Another Microsoft Copyright Anomaly 2018-05-20 18:49:45 +02:00
Florian Roth
a06dae24aa Renamed Rule 2018-05-20 18:49:45 +02:00
Florian Roth
642cc04bb0 False Positive Reduction 2018-05-20 18:49:45 +02:00
r00t0vi4
7e95136760
Update generic_anomalies.yar 
Replace external variable "filetype" with hex 0x4749463839 (GIF89). 
It's a simplifies rules. You are using external variable "filetype" only in this place.
 2018-05-07 15:17:14 +03:00
Florian Roth
c595b47958 Winnti Burning Umbrella 
https://401trg.pw/burning-umbrella/
 2018-05-05 11:43:11 +02:00
Florian Roth
1f58d867d4 Turla Signature 2018-05-04 00:30:10 +02:00
Florian Roth
08385bc71d Bad PDF 
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
 2018-05-03 16:02:46 +02:00
Florian Roth
defc966d74 Fancy Bear Lojack Double Agent Hashes & YARA rule 
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
 2018-05-02 10:41:35 +02:00
Florian Roth
cc376073cc APT10 Hogfish Redleaves 2018-05-02 08:04:26 +02:00
Florian Roth
bd26c9226e Lazagne PW Dumper 2018-05-01 21:18:10 +02:00
Florian Roth
2b122abd9b Another YARA rule for CVE-2017-11882 detection 2018-05-01 21:17:24 +02:00
Florian Roth
c2e12db40c HScan False Positive 2018-04-26 23:19:47 +02:00
Florian Roth
b396038d14 Process Injector Generic 2018-04-26 23:19:35 +02:00