valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 10:28:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,012 Commits 2 Branches 1 Tag 33 MiB
c63973effd
Commit Graph

759 Commits

Author SHA1 Message Date
Florian Roth
833b49041a Patchwork ArtraDownloader 2019-08-27 12:19:05 +02:00
Florian Roth
63804a5b22 false positives and renamed rule 2019-08-27 12:19:05 +02:00
null
a1a3c9e5f9 Refined the rules a bit to include in-mem encoded and decoded elements. Most rules only look for things that can be easily changed in the C2 profile. 2019-08-19 14:13:13 +02:00
null
61e4bb20e7 Added rule for Cobalt Strike sleep_mask obfuscation 2019-08-16 14:16:26 +02:00
Florian Roth
3713b5ff1e docs: fixed references in APT41 rules 2019-08-08 08:59:56 +02:00
Florian Roth
28b0cd7ca3 APT41 YARA rules 
https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html
 2019-08-08 08:58:51 +02:00
Florian Roth
96f06e9595 Unsigned GoogleUpdate 2019-08-05 15:23:55 +02:00
Florian Roth
1bba8f8c87 fix: bugfix in GermanWiper rule 2019-08-05 13:30:24 +02:00
Florian Roth
e7ca17b28c GermanWiper by Frank Boldewin 
https://twitter.com/r3c0nst/status/1158326526766657538
 2019-08-05 13:21:10 +02:00
Florian Roth
4619840670 Just EICAR 2019-08-05 13:20:38 +02:00
Florian Roth
5aa7258694 Winnti BR report 2019-07-25 15:11:26 +02:00
Florian Roth
8af28e0fff PowerShell Caret Obfuscation Rule 2019-07-21 12:04:56 +02:00
Florian Roth
b4ef6f503e refactor: date cleanup 2019-07-21 12:04:41 +02:00
Florian Roth
3a36eabb3f ATM malware rule 2019-07-17 22:10:59 +02:00
Florian Roth
e769a4e981 Nick Carr's modified IQY rule 2019-07-15 14:08:59 +02:00
John Lambert
dc8b24e87e
Create gen_suspicious_InPage_dropper.yar 
InPage file format exploit detection
 2019-07-03 07:08:49 -07:00
Florian Roth
5ceb00a0f6 AveMaria RAT 2019-07-02 20:29:33 +02:00
Florian Roth
815a59cc19 ZIP with .doc.lnk contents 2019-07-02 20:29:24 +02:00
Florian Roth
dbd1062b76 Suspicious VBA contents 2019-06-21 17:18:44 +02:00
Florian Roth
bfc6027482 XMRIG reference 2019-06-21 17:18:34 +02:00
Florian Roth
438a5c2fd7 Better MSI detection 2019-06-21 17:18:25 +02:00
Florian Roth
253371fef1 Some rule adjustments 2019-06-02 12:17:05 +02:00
Florian Roth
da7c9c5875 Nansh0u Crypto Miner Campaign 
https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
 2019-05-31 13:21:12 +02:00
Florian Roth
2e422bb5e8 Quasar RAT new rule 2019-05-28 09:49:22 +02:00
Florian Roth
3b2ef8f255 Linux Pnscan 2019-05-28 09:47:24 +02:00
Florian Roth
ba72f44b98 FPs in APT domains 2019-05-20 10:53:56 +02:00
Florian Roth
9f9f99ad69 Sofacy Indicators 2019-05-19 09:59:44 +02:00
Florian Roth
dbc720e5fe FPs 2019-05-17 15:41:52 +02:00
Florian Roth
6ff3452652 fixed two rules - FPs 2019-05-17 15:41:04 +02:00
Florian Roth
fb7a241b99 APT Winnti Linux 
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a
 2019-05-15 20:12:56 +02:00
Florian Roth
2bf7076ccb RobinHood Ransomware 2019-05-15 13:10:27 +02:00
Florian Roth
6091e5f1f5 docs: changed reference in rule 2019-04-29 19:09:17 +02:00
Florian Roth
94a921593a SUSP_Base64_Encoded_Hex_Encoded_Code 
https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
 2019-04-29 15:40:29 +02:00
Florian Roth
843340a1f6 One of the new BabyShark rules for KimJongRAT 
https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
 2019-04-28 11:46:24 +02:00
Florian Roth
4153962b3c InjectDLL keyword - low scoring rule 2019-04-28 11:44:58 +02:00
Florian Roth
aa10cc3e09 Gamaredon group SFX dropper 2019-04-24 20:35:51 +02:00
Florian Roth
853762d0f4 DNSpionage Karkoff malware 2019-04-24 14:29:41 +02:00
Florian Roth
faf86f38ee Suspicious DropperBackdoor keyword 2019-04-24 10:35:10 +02:00
Florian Roth
48c5533ee8 Suspicious Netsh PortProxy command 2019-04-24 10:34:59 +02:00
Florian Roth
89b893219f APT34 / OilRig PowerShell malware 
https://twitter.com/0xffff0800/status/1118406371165126656
 2019-04-17 13:52:03 +02:00
Florian Roth
b8451ac254 APT NK HiddenCobra HOPLIGHT 2019-04-14 18:07:07 +02:00
Florian Roth
6b51398f01 fix: deactivate rule due to missing support for md5() 2019-04-10 11:12:21 +02:00
Florian Roth
989a5fb54d Duqu 1_5, Flame2 Orchestrator, Stuxshop YARA 2019-04-09 08:47:58 +02:00
Florian Roth
ce4b185127 Ransomware Wadhrama 2019-04-07 20:20:11 +02:00
Florian Roth
c1e2b7bc11 Suspicious RAR with .pdf ext obfuscation 2019-04-06 15:18:59 +02:00
Florian Roth
88101050ff APT37 rule by Steve Miller 2019-04-06 15:18:28 +02:00
Florian Roth
4c9d93b316 False Positives with SysInternals_Tool_Anomaly 2019-04-02 15:57:33 +02:00
Florian Roth
4511fcdc46 Fixed date values 2019-04-01 16:29:36 +02:00
Florian Roth
4e7795e86b ATM Malware JavaDispCache by Frank Boldewin 
https://twitter.com/r3c0nst/status/1111254169623674882
 2019-03-28 14:25:44 +01:00
Florian Roth
aad4925d37 Improved TA17-293A rule by Kyle O'Meara 
https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html
 2019-03-26 11:41:00 +01:00