Florian Roth
|
b27786348e
|
refactor: remove 3rdparty submodule
|
2020-06-30 21:29:42 +02:00 |
|
Florian Roth
|
27ebc5de4f
|
feat: reversing labs YARA rule sub module
|
2020-06-30 21:15:34 +02:00 |
|
Florian Roth
|
a69be9cf6d
|
PowerShell back tick obfuscation detection - improved
|
2020-06-30 09:52:26 +02:00 |
|
Florian Roth
|
b29b2d2cca
|
PowerShell back tick obfuscation detection
|
2020-06-30 09:35:16 +02:00 |
|
Florian Roth
|
7f5597f91c
|
fix: limit rule due to in-memory FPs
|
2020-06-30 09:35:16 +02:00 |
|
Florian Roth
|
3df4fa5fa4
|
BRONZE VINEWOOD hash IOCs
|
2020-06-30 09:35:16 +02:00 |
|
Florian Roth
|
ec291a00c6
|
Merge pull request #91 from hillu/master
Fix uint32*() patterns that can't return values > 2^32-1
|
2020-06-26 01:02:07 +02:00 |
|
Hilko Bengen
|
0151322ae6
|
Fix uint32*() patterns that can't return values > 2^32-1
|
2020-06-25 22:01:15 +02:00 |
|
Florian Roth
|
3bffb0d4b3
|
Ke3chang rules
|
2020-06-18 20:16:53 +02:00 |
|
Florian Roth
|
7117d38747
|
fix: FPs with obfuscation rule
|
2020-06-18 20:16:02 +02:00 |
|
Florian Roth
|
4670cc70c0
|
fix: FPs with lsass.exe
|
2020-06-16 09:22:28 +02:00 |
|
Florian Roth
|
cb0c6f7859
|
Anomalies
|
2020-06-16 09:22:19 +02:00 |
|
Florian Roth
|
59a04add34
|
Extended suspicious env variable set to disable ETW
|
2020-06-06 14:36:37 +02:00 |
|
Florian Roth
|
68cf827556
|
Suspicious env variable set to disable ETW
|
2020-06-06 09:38:00 +02:00 |
|
Florian Roth
|
1152659662
|
Suspicious Base64 encoded blocks in script
|
2020-06-05 13:31:43 +02:00 |
|
Florian Roth
|
82f355da05
|
rule: recon outputs
|
2020-06-04 17:51:40 +02:00 |
|
Florian Roth
|
9f48402fda
|
fix: wrong C2 IOC format
|
2020-05-29 17:30:56 +02:00 |
|
Florian Roth
|
0c8c43f0c3
|
fix: removed problematic domain
|
2020-05-29 16:57:55 +02:00 |
|
Florian Roth
|
10c7f912b2
|
more Sandworm rules
|
2020-05-28 21:11:08 +02:00 |
|
Florian Roth
|
feb6649758
|
added hashes to Sandworm rules
|
2020-05-28 19:53:04 +02:00 |
|
Florian Roth
|
9dd9ce950d
|
fix: removed duplicate rule
|
2020-05-28 19:43:25 +02:00 |
|
Florian Roth
|
f9b9fc50d1
|
fix: fixed another typo - need more sleep
|
2020-05-28 18:43:44 +02:00 |
|
Florian Roth
|
21c1d8e823
|
Sandworm filename IOCs
|
2020-05-28 18:43:10 +02:00 |
|
Florian Roth
|
ce4c2a7573
|
Sandworm script YARA rules for forensic artefacts
|
2020-05-28 18:37:58 +02:00 |
|
Florian Roth
|
51c6c7aeb3
|
fix: typo in threat group name
|
2020-05-28 17:44:55 +02:00 |
|
Florian Roth
|
a2193b9cad
|
Sandworm exploiting Exim
|
2020-05-28 17:30:27 +02:00 |
|
Florian Roth
|
ece905e149
|
Turla Kazuar
|
2020-05-28 17:28:59 +02:00 |
|
Florian Roth
|
c5ed51f009
|
Greenbug IOCs
|
2020-05-21 09:42:53 +02:00 |
|
Florian Roth
|
0db924ec7c
|
ProLock ransomware rule by Frank Boldewin
|
2020-05-20 08:26:38 +02:00 |
|
Florian Roth
|
6e89c36847
|
Chafer IOCs
|
2020-05-20 08:25:55 +02:00 |
|
Florian Roth
|
3aee93a2ee
|
fix: FPs with Armitage_MeterpreterSession_Strings on proc mem
|
2020-05-19 09:19:43 +02:00 |
|
Florian Roth
|
8e7d4a1158
|
Attacks on Academic Data Centers
|
2020-05-16 13:56:46 +02:00 |
|
Florian Roth
|
517c648ecb
|
Attacks on Academic Data Centers
|
2020-05-16 12:00:06 +02:00 |
|
Florian Roth
|
e42e4db4f0
|
APT Turla Penquin by Leonardo S.p.A.
|
2020-05-14 13:47:54 +02:00 |
|
Florian Roth
|
ba83c12e1b
|
Parallax RAT by @VK_Intel
https://twitter.com/VK_Intel/status/1257717709896396802
|
2020-05-05 19:52:40 +02:00 |
|
Florian Roth
|
e808fb867e
|
fix: FPs with rule on memory
|
2020-05-05 19:47:48 +02:00 |
|
Florian Roth
|
b0d1cfd4da
|
APT Nazar by @_CPResearch_
https://research.checkpoint.com/2020/nazar-spirits-of-the-past/
|
2020-05-05 19:47:35 +02:00 |
|
Florian Roth
|
b47c39c7b4
|
Ragna Locker
|
2020-05-04 11:27:43 +02:00 |
|
Florian Roth
|
22975c20f9
|
GuLoader by @VK_Intel
|
2020-05-04 11:27:35 +02:00 |
|
Florian Roth
|
e9263b8f36
|
rule: BazarBackdoor by @VK_Intel
|
2020-04-25 13:59:51 +02:00 |
|
Florian Roth
|
ea579f2ac0
|
fix: keyword ysoserial
|
2020-04-25 13:59:24 +02:00 |
|
Florian Roth
|
03797ce3e4
|
Skeleton Key Campaign IOCs
|
2020-04-20 13:28:35 +02:00 |
|
Florian Roth
|
92bbeb8819
|
rule: Maze Ransomware by @VK_Intel
|
2020-04-20 11:12:50 +02:00 |
|
Florian Roth
|
bc26aee55a
|
rule: reversed base64 encoded executable
|
2020-04-18 11:36:21 +02:00 |
|
Florian Roth
|
99639b90dd
|
rule: Speculoos Backdoor
|
2020-04-18 11:34:36 +02:00 |
|
Florian Roth
|
9c36c492ad
|
Ransom COVID themed
|
2020-04-15 21:25:44 +02:00 |
|
Florian Roth
|
3294047c0b
|
Macro CHAR obfuscation by DissectMalware
|
2020-04-08 14:55:29 +02:00 |
|
Florian Roth
|
30bf5caa33
|
EvilCorp Dridex Banker
|
2020-04-06 09:33:51 +02:00 |
|
Florian Roth
|
e0083eb2c7
|
APT Turla Linux Malware
|
2020-04-05 20:36:10 +02:00 |
|
Florian Roth
|
e5129c647a
|
TinyPE file
|
2020-03-30 19:19:15 +02:00 |
|