valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,103 Commits 2 Branches 1 Tag 33 MiB
a4e2f23c82
Commit Graph

1103 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
a4e2f23c82 Winnti loader rule by Vitali Kremez 2020-02-02 09:02:14 +01:00
Florian Roth
90c2377fdc Improved PowerShell rule 2020-01-29 15:52:52 +01:00
Florian Roth
72a737becd Suspicious FromBase64String Base64 Rule 2020-01-29 15:06:31 +01:00
Florian Roth
2aa792dc3a New Emotet rule 2020-01-29 15:06:06 +01:00
Florian Roth
434b102c1f fix: imphash not necessary 2020-01-24 15:33:57 +01:00
Florian Roth
feaf3a6cc2 rule: renamed certutil 2020-01-24 15:25:06 +01:00
Florian Roth
01c489674c fix: false positive reduction 2020-01-21 18:07:30 +01:00
Florian Roth
70a865f54e APT RoyalRoad RTF signatures 2020-01-21 18:07:18 +01:00
Florian Roth
c0a9bfae7b JhoneRAT Hash IOCs 2020-01-21 18:06:59 +01:00
Florian Roth
f294fa3b89 improved shitrix rule : nocase 
https://twitter.com/ItsReallyNick/status/1217308463174496256
 2020-01-15 09:15:12 +01:00
Florian Roth
2028be6db3 fix: fixed typo in NSC 2020-01-14 15:08:03 +01:00
Florian Roth
7863689d6a fix: fixed rule 2020-01-13 18:39:59 +01:00
Florian Roth
9ae5a24c4c change 2 YARA rule based on Will's comments 
https://twitter.com/wdormann/status/1216752426902003713
 2020-01-13 17:55:38 +01:00
Florian Roth
07899ff599 change YARA rule based on Will's comments 
https://twitter.com/wdormann/status/1216752426902003713
 2020-01-13 17:09:30 +01:00
Florian Roth
f6eb34c732 Updated Shitrix rule 2020-01-13 13:07:08 +01:00
Florian Roth
13eede12b8 Exploit payloads Shitrix 2020-01-13 12:50:40 +01:00
Florian Roth
ffc4871f36 Dustman ME attack 2020-01-09 16:30:04 +01:00
Florian Roth
bbdcaaa3c3 fix: webshell FP reduction 2020-01-09 16:29:56 +01:00
Florian Roth
087afc84b6 BRONZE PRESIDENT Hash IOCs 2019-12-31 10:58:59 +01:00
Florian Roth
bd87dad4e4 BRONZE PRESIDENT filename IOCs 2019-12-31 10:57:28 +01:00
Florian Roth
5a6fcb8045 Suspiciously small VHD files 2019-12-21 22:11:20 +01:00
Florian Roth
93daa55f21 Operation Wocao 2019-12-20 15:27:41 +01:00
Florian Roth
e666d752cc
Merge pull request #85 from JohnLaTwC/patch-14 
Update gen_python_pyminifier_encoded_payload.yar
 2019-12-20 08:24:03 +01:00
John Lambert
8a2087a78e
Update gen_python_pyminifier_encoded_payload.yar 
tweak rule slightly to catch more cases:
15d201152a9465497a0f9dd6939e48315b358702c5e2a3c506ad436bb8816da7
5c5c1b5c6a5d7eff3941040321fde425eca612e870bba553f22ae5f9a2bd3318
d5664c70f3543f306f765ea35e22829dbea66aec729e8e11edea9806d0255b7e
 2019-12-17 08:56:15 -08:00
Florian Roth
f30673e0e4
Merge pull request #84 from JohnLaTwC/patch-13 
Create gen_python_pyminifier_encoded_payload.yar
 2019-12-17 11:21:58 +01:00
John Lambert
b89f901688
Create gen_python_pyminifier_encoded_payload.yar 
Detects encoded python files generated by pyminifier. Seen in Machete APT attacks as well as other malware on VT. Retrohunt results were all true positives:
3eedd8b8369c03c5a117aa97b4d88b0e680e6d7d39b7efa8d32913d83b39f32d
6e61fbf30f7197b8a9feaf84d5bf9c2b9232a5e110d07d7519c3dc4a92de6aee
de111af09137c0c11253d4a01bf7c6c1e082568f2d07dfa7ddecd4a7bff75788
b67256906d976aafb6071d23d1b3f59a1696f26b25ff4713b9342d41e656dfba
d5664c70f3543f306f765ea35e22829dbea66aec729e8e11edea9806d0255b7e
ed76bd136f40a23aeffe0aba02f13b9fea3428c19b715aafa6ea9be91e4006ca
15d201152a9465497a0f9dd6939e48315b358702c5e2a3c506ad436bb8816da7
dd2b0e2c2cb8a83574248bda54ce472899b22eb602e8ebecafcce2c4355177fe
01df8765ea35db382d1dd67a502bf1d9647d8fe818ec31abff41c7e41c2816c0
a961c6d9aa49eda3969f9b601aca65506369e6d0db9acb848e477477abbf6497
b454179c13cb4727ae06cc9cd126c3379e2aded5c293af0234ac3312bf9bdad2
5c5c1b5c6a5d7eff3941040321fde425eca612e870bba553f22ae5f9a2bd3318
 2019-12-16 19:03:37 -08:00
Florian Roth
ead76e2f59 Rule RAR exfiltration 2019-12-16 18:17:20 +01:00
Florian Roth
a76d1ad79d Suspicious RAR Ntds.dit content 2019-12-16 18:00:48 +01:00
Florian Roth
a1270fb1f1 Improved description 2019-12-12 18:23:33 +01:00
Florian Roth
947fb3e810 GALLIUM Hash IOCs 2019-12-12 18:23:25 +01:00
Florian Roth
6a559d885f fix: fixed condition in cloaking rule 2019-12-09 13:27:52 +01:00
Florian Roth
086e006463 THOR filename IOCs donation 2019-12-09 08:56:33 +01:00
Florian Roth
04d342e1be DePriMon hash IOCs 2019-12-09 08:54:03 +01:00
Florian Roth
c7008bf1d4 False Positive Reduction 2019-12-09 08:53:51 +01:00
Florian Roth
c79b56af68 Winnti YARA rules 2019-12-09 08:53:35 +01:00
Florian Roth
c5f6212d46 New Mirai Sig 2019-11-14 08:37:41 +01:00
Florian Roth
ef711bf5a0 Improved NK CyberAgent rule 2019-11-06 20:41:04 +01:00
Florian Roth
1ef38a6f5e APT Malware NK unknown 
https://www.virustotal.com/gui/user/CYBERCOM_Malware_Alert/comments
 2019-11-06 20:23:17 +01:00
Florian Roth
a4e1fc222b CS FPs 2019-11-06 13:52:59 +01:00
Florian Roth
7e20664bce Dark Universe Hashes 2019-11-06 13:52:50 +01:00
Florian Roth
d013e5834b C2 with it all hashes 2019-11-06 13:52:43 +01:00
Florian Roth
9729b0f794 Calypso APT 2019-11-01 09:05:14 +01:00
Florian Roth
53af347101 rule: BitPaymer 2019-10-30 08:43:57 +01:00
Florian Roth
03e2ff82b0 Double base64 encoded executables 2019-10-29 10:06:18 +01:00
Florian Roth
d26118570b Reworked condition of DTRACK rule 2019-10-28 21:26:17 +01:00
Florian Roth
d5e867192c DTRACK rule adjusted 2019-10-28 21:22:28 +01:00
Florian Roth
63378664f5 Reworked DTRACK rule 2019-10-28 21:06:36 +01:00
Florian Roth
bd6474b7c3 score adjusted 2019-10-28 20:38:50 +01:00
Florian Roth
c775e32091 DTRACK malware 2019-10-28 20:38:42 +01:00
Florian Roth
17e6f6ae80 rule: xored expressions MSDOS stub 2019-10-28 13:41:13 +01:00