valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 10:28:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,012 Commits 2 Branches 1 Tag 33 MiB
c63973effd
Commit Graph

759 Commits

Author SHA1 Message Date
Florian Roth
c835b3a58c PLEAD Downloader 2018-06-16 17:40:31 +02:00
Florian Roth
3b25bd8a05 AR18-165 YARA rules 2018-06-16 17:40:18 +02:00
Florian Roth
e53539d7e4 Turla Agent.BTZ 2018-06-16 17:39:25 +02:00
Florian Roth
edfdb48bdc Score adjusted 2018-06-13 13:37:06 +02:00
Florian Roth
6dd31e254c New MuddyWater signature 2018-06-13 13:34:58 +02:00
Florian Roth
4a4a94fc9c Rules prone to false positives on process memory to "file" only 2018-06-13 08:30:02 +02:00
Florian Roth
c42709fe0d BluenoroffPoS DLL 
http://blog.trex.re.kr/
 2018-06-08 21:12:24 +02:00
Florian Roth
be2315b3cf False Positive Reduction 2018-06-08 21:11:39 +02:00
Florian Roth
8f48aa959b APT Lazarus RAT & Dropper 
https://twitter.com/DrunkBinary/status/1002587521073721346
 2018-06-03 00:28:59 +02:00
Florian Roth
55aa4639d2 TA18-149A YARA signatures 
https://www.us-cert.gov/ncas/alerts/TA18-149A
 2018-06-01 09:25:27 +02:00
Florian Roth
077384492c Updated BadPDF rule 2018-05-29 14:22:41 +02:00
Florian Roth
3596fea85a False Positive Reduction 2018-05-24 16:12:52 +02:00
Florian Roth
c9296e7ca8 VPNFilter YARA rules 2018-05-24 16:12:37 +02:00
Florian Roth
ee986a7e7b Bugfix - missing "pe" 2018-05-20 19:41:00 +02:00
Florian Roth
9f3067d594 Floxif / FlyStudio malware 2018-05-20 18:49:45 +02:00
Florian Roth
0838bfff7d Hacktool ShellPop shells 2018-05-20 18:49:45 +02:00
Florian Roth
ae1bd7b7ea Suspicious LNK file with path traversal like relative path 2018-05-20 18:49:45 +02:00
Florian Roth
4671958b12 Suspicious LNK file with reference to AppData Roaming 2018-05-20 18:49:45 +02:00
Florian Roth
da89105ae5 Another Microsoft Copyright Anomaly 2018-05-20 18:49:45 +02:00
Florian Roth
a06dae24aa Renamed Rule 2018-05-20 18:49:45 +02:00
Florian Roth
642cc04bb0 False Positive Reduction 2018-05-20 18:49:45 +02:00
r00t0vi4
7e95136760
Update generic_anomalies.yar 
Replace external variable "filetype" with hex 0x4749463839 (GIF89). 
It's a simplifies rules. You are using external variable "filetype" only in this place.
 2018-05-07 15:17:14 +03:00
Florian Roth
c595b47958 Winnti Burning Umbrella 
https://401trg.pw/burning-umbrella/
 2018-05-05 11:43:11 +02:00
Florian Roth
1f58d867d4 Turla Signature 2018-05-04 00:30:10 +02:00
Florian Roth
08385bc71d Bad PDF 
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
 2018-05-03 16:02:46 +02:00
Florian Roth
defc966d74 Fancy Bear Lojack Double Agent Hashes & YARA rule 
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
 2018-05-02 10:41:35 +02:00
Florian Roth
cc376073cc APT10 Hogfish Redleaves 2018-05-02 08:04:26 +02:00
Florian Roth
bd26c9226e Lazagne PW Dumper 2018-05-01 21:18:10 +02:00
Florian Roth
2b122abd9b Another YARA rule for CVE-2017-11882 detection 2018-05-01 21:17:24 +02:00
Florian Roth
c2e12db40c HScan False Positive 2018-04-26 23:19:47 +02:00
Florian Roth
b396038d14 Process Injector Generic 2018-04-26 23:19:35 +02:00
Florian Roth
abdc494d13 False Positive Reduction 2018-04-26 23:19:13 +02:00
Florian Roth
78ce62d33f Sednit Delphi Downloader 
https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
 2018-04-26 23:18:46 +02:00
Florian Roth
f7da02c0f3 Kwampirs malware 
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
 2018-04-24 11:29:01 +02:00
Florian Roth
8d6d3b36ae GrandCrab malware 2018-04-24 11:22:46 +02:00
Florian Roth
8424575572
Merge pull request #33 from yt0ng/signature-base-yt0ng 
added winnti Mozilla Kingsoft Confusion in PE Metadata
 2018-04-16 08:11:03 +02:00
Florian Roth
06067a7399
Slightly modified - and QA tested 2018-04-16 07:58:13 +02:00
Florian Roth
a4ecbf4410 WebMonitor RAT 
https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/
 2018-04-16 07:51:01 +02:00
yt0ng
edb7390a48 added winnti Mozilla Kingsoft Confusion in PE Metadata 2018-04-15 09:46:48 +02:00
Florian Roth
70037ba67e PowerShell JAB rule 2018-04-14 11:56:12 +02:00
Florian Roth
e0245230c3 Renamed rule to avoid problems with updated LOKI versions 2018-04-14 11:55:57 +02:00
Florian Roth
615b9a117e Updated GIF cloaked webshell rule 2018-04-13 11:34:48 +02:00
Florian Roth
4ca62a2556 Turla Agent.BTZ 2018-04-12 19:42:29 +02:00
Florian Roth
5b2c2b58d9 Cosmetics 2018-04-11 23:51:43 +02:00
Florian Roth
f2f9956fbb New hacktool signatures 2018-04-11 23:51:43 +02:00
Florian Roth
c1b50600c1 Rule improvements 2018-04-11 23:51:43 +02:00
yt0ng
b6c6e60681 added Turla Kazuar RAT described by DrunkBinary 2018-04-09 14:22:36 +02:00
Florian Roth
da310446fe Generic PowerShell rule for code the uses Kernel32 / write remote process memory 2018-04-06 12:45:37 +02:00
Florian Roth
bb8fe2cdf4 Revised YARA sigs from NCSC report 
https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
 2018-04-06 12:45:37 +02:00
Florian Roth
68f98c8775 CVE-2014-4076 exploit code 2018-04-06 12:45:37 +02:00
Florian Roth
4e57b9f856 Renamed rule 2018-04-06 12:45:37 +02:00
Florian Roth
05f65d6592
Performance optimization 2018-04-03 15:30:23 +02:00
John Lambert
28bd891428
Update gen_unicorn_obfuscated_powershell.yar 
Tweak rule for optional paren
 2018-04-03 06:23:50 -07:00
John Lambert
30f914e71d
Update gen_unicorn_obfuscated_powershell.yar 
add support for alternative switches (i.e. -w and /w) and paren block on payload. Found in VT sample 1afb9795cb489abce39f685a420147a2875303a07c32bf7eec398125300a460b
 2018-04-03 06:17:48 -07:00
Florian Roth
4263292a16 Hidden Cobra Wiper 
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
 2018-03-28 19:57:12 +02:00
John Lambert
df49f01006
update for VT uploads that include the POST header 
came across submissions (7d5819a2ea62376e24f0dd3cf5466d97bbbf4f5f730eb9302307154b363967ea, 2a69e46094d0fef2b3ffcab73086c16a10b517f58e0c1f743ece4f246889962b) with a header such as:
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 90.147.64.54:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>...
 2018-03-28 05:31:01 -07:00
Florian Roth
2d4a023211 Updated Keyboy malware rules 2018-03-28 11:28:38 +02:00
Florian Roth
5a5268e3db Suspicious Keylogger / Backdoor PDB strings 2018-03-28 11:27:53 +02:00
Florian Roth
d89fda03fe Improved Impacket rules 2018-03-28 11:27:18 +02:00
Florian Roth
29dc390b2b OilRig / Chafer YARA Rules 
https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 2018-03-23 08:43:43 +01:00
Florian Roth
89eb1aaed2 Added .yar extension to weblogic exploit rule 2018-03-22 00:19:09 +01:00
Florian Roth
525bb2d361 False Positive Reduction 2018-03-22 00:17:41 +01:00
John Lambert
f6fef3e296
detect Oracle Weblogic exploit CVE-2017-10271 
Performed a retrohunt. 3 matches came back--all true positives:
20f5a6b4915d51c36b1e2fa77da7f75c44b07697b717ef733deba86d7c57b09a
376c2bc11d4c366ad4f6fecffc0bea8b195e680b4c52a48d85a8d3f9fab01c95
864e9d8904941fae90ddd10eb03d998f85707dc2faff80cba2e365a64e830e1d/subfile
 2018-03-21 14:06:07 -07:00
Florian Roth
1e2fb32e11 Removed rule - prone to false positives 2018-03-20 15:15:28 +01:00
Florian Roth
2b845847fc Bugfix in TA18-074A webshell rule 2018-03-17 11:18:13 +01:00
Florian Roth
0cef4b1890 Revised YARA rules of TA18-074A 2018-03-16 23:22:20 +01:00
Florian Roth
892b159c00 First commit of TA18-074A rules 2018-03-16 16:32:11 +01:00
Florian Roth
65d45e5638 Fixed false positives in Slingshot APT sigs 2018-03-12 15:26:00 +01:00
Florian Roth
5334216f73 Prone to false positives 
https://www.virustotal.com/en/file/8e928dc79b4dd5695b1b3fcd4592b7179c2e2857a82d325d49237977636b21d2/analysis/
 2018-03-12 14:56:19 +01:00
Florian Roth
2ce3e0bbaf Fix to avoid too many false positives 2018-03-12 14:49:03 +01:00
Florian Roth
117270469f Moved all rules that use ext vars to a new rule set 2018-03-12 13:47:40 +01:00
Florian Roth
3018b8b551 Extended the APT15 rules by NCCGroups rules (revised) 
https://github.com/nccgroup/Royal_APT/blob/master/signatures/apt15.yara
 2018-03-12 12:55:33 +01:00
Florian Roth
07b44fe78a APT15 YARA signatures 
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
 2018-03-12 09:40:31 +01:00
Florian Roth
125a220411 Slingshot APT YARA signatures 
https://securelist.com/apt-slingshot/84312/
 2018-03-10 12:20:04 +01:00
Florian Roth
3fe8f66d3b Bigfix: missing "pe" import 2018-03-09 15:35:38 +01:00
Florian Roth
9c5765484d DonotTeam YTYFramework YARA sig 
https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/
 2018-03-09 15:29:45 +01:00
Florian Roth
b031d55469 Crimson RAT 2018-03-08 18:56:38 +01:00
Florian Roth
cecd779892 Updated generic dump files : gesecdump output 2018-03-08 18:48:55 +01:00
Florian Roth
b0f6890de1 TSCookie RAT 2018-03-08 18:48:55 +01:00
Florian Roth
62ff9d53f5
PowerShell payload obfuscated by Unicorn toolkit 2018-03-08 18:24:10 +01:00
JohnLaTwC
70c1a24de4
finds powershell commands obfuscated by unicorn 
I see unicorn samples uploaded to VT a few times a day. Here is a rule for it. 
Unicorn toolkit: https://github.com/trustedsec/unicorn/

Example hashes:
14c708d8577eafc56fa8af4d45aaedfbba185aee6ffc22650b2b5b4a58c6ae0f
19c8d44fe80cfbd61e30f9aeef3f7433473e6ae66d7b2e26bae22ed9b338a755
1f1990d08ae6ac2480e2ba4fcc4f00105aa2eb8606fa5b23be450922a705a637
211c690cded91446b43ec2bd89a8071df8b96442b3fa9762a91945c8987996db
4b877196a90b2ad62fe795fff63d36742d9099ae677fe5e44ef47e6a9919adc4
5239c2de70c82b70ce3dac0669b4b4ec95b5d5fd0286bad8e3ec960217e20627

Also https://twitter.com/JohnLaTwC/status/971536587388407809
 2018-03-07 17:29:36 -08:00
JohnLaTwC
7cab502150
yara rule for encoded python payloads for adware 
Ran it through a retrohunt earlier and has good true positive track record in VT.  Very interesting python samples that it is a part of.
 2018-03-07 08:45:57 -08:00
Florian Roth
5110a57cd5 Minor changes: performance reasons, reference, hashes split up 2018-03-05 15:41:51 +01:00
Florian Roth
7c4b9b1725
Merge pull request #24 from JohnLaTwC/patch-1 
generic python reverse shell
 2018-03-05 15:36:05 +01:00
Florian Roth
27442f03b0 Operation Honey Bee Malware YARA sigs 
https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
 2018-03-03 16:12:34 +01:00
Florian Roth
77281d4ea2 Generic dropper PDB string 2018-03-03 12:15:31 +01:00
Florian Roth
0b21871f52 IceFog malware 
https://twitter.com/ClearskySec/status/968104465818669057
 2018-03-03 10:15:24 +01:00
Florian Roth
c41806f2cf False Positive Reduction 2018-03-01 19:13:20 +01:00
Florian Roth
aefa8e8af7 Bugfix and extended Sofacy rule 2018-03-01 09:34:03 +01:00
Florian Roth
4bdcf3c64b Sofacy IOCs and YARA signature 2018-03-01 09:29:57 +01:00
Florian Roth
3a7554d535 MuddyWater Doc Dropper 2018-02-27 09:54:05 +01:00
JohnLaTwC
865ac9ce04
generic python reverse shell 
seen in:
1b97cb64e9be8db9d5e959d183f4c5469f7eafab0e34198be784f2e54a9cc768
22b33d5f2028eff3b11a68c8971cfcc6b57509efecf0af7ac6f9aa33e3929f93
25bd4762908751d19b4d27479470cb442319a1419af559bc5c31b83bece20ad4
26b8b960f08fea6d9f18a7ff7a44f46c90972d0fd48332ea90c32f8293266088
528bf356946abd82ce4639e1f66bd71bbad2fadfc83df1c4ff92ffd61e5e8a2c
5eb14f86ab101c5b78d8397a89e7c5a775464565dc5ed6af30eef14f264e0a62
640c80a36f387026871aa2d5e8447f990ec5b18395eb46f453c4215aee0d1846
6623f7f5a326c932ea893419509eac8c243363fea5eadbb940da0d3f949c79a6
6ca26484201218eb0352ce50f1937ec84f09f5187b882c23d2c9a67015d6aedb
743b5192bfe88e67dd1d2259a3ce5b02250b47fefa01274a88eb063a4746b378
b42309e69b8066bdb54faf425d19f5c84e5a00959e641609590cd6607a4601d6
b4e7f9a84ba3ad5f88ced24b43f5ba9bcc98976c45ae74b3e8c47921590e27f7
b8fd4dfe91708511ca87a83b3ee97da0dd4b5cc1e106e2ea6cb93ccddd3b7b17
bfb5c622a3352bb71b86df81c45ccefaa68b9f7cc0a3577e8013aad951308f12
c365c6d27f04637804f4d28c5aa5166342db1aa8712d94488bc518a21f408f53
f3b443d83488c35d5c11ff9eda98d460bf650071235561d3290f7f25c4c76405
fadb468f0324666a4b8eeb3bb499e84b11daa32efac2ae8ccaddf3941c5e25b1
 2018-02-24 14:52:23 -08:00
Florian Roth
d85ae13956 OSX malware by @JohnLaTwC 
https://ghostbin.com/paste/mz5nf
 2018-02-24 10:08:40 +01:00
Florian Roth
328024dfd0 Turla Mosquito YARA Sigs 
https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf
 2018-02-23 11:50:35 +01:00
Florian Roth
5741438d48 Wscript.Shell rule false positive reduction 2018-02-20 20:12:00 +01:00
Florian Roth
2bdfedfd1a NanoCore RAT update 2018-02-20 20:11:09 +01:00
Florian Roth
898deba325 Loki Bot and Dropper (Feb variant) 2018-02-15 17:08:01 +01:00
Florian Roth
1af4d4347c New CVE-2017-11882 detection rule 2018-02-14 08:51:45 +01:00
Florian Roth
c1360521b4 VBS Obfuscator 2018-02-13 16:20:16 +01:00
Florian Roth
351b5e4c17 Modified Olympic Destroyer rule - made rule 1 a generic rule 2018-02-13 08:29:38 +01:00
Florian Roth
5321485d2a Olympic Destroyer 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 21:54:21 +01:00
Florian Roth
46d21154ca HawkEye keylogger variant rule 2018-02-12 18:22:30 +01:00
Florian Roth
699b322d89 CN disclosed malware repo - NjRAT 
https://twitter.com/cyberintproject/status/961714165550342146
 2018-02-09 10:04:27 +01:00
Florian Roth
e71703c8d0 WScript PowerShell Combo 2018-02-08 23:03:23 +01:00
Florian Roth
b1924d6cde False Positive Reduction 2018-02-08 22:59:08 +01:00
Florian Roth
e1bab3de46 Middle Eastern Campaign - Talos Report 
http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html
 2018-02-08 22:58:31 +01:00
Florian Roth
f51713750c False Positive Reduction 2018-02-07 14:39:28 +01:00
Florian Roth
fc18cc990f Scracruft APT malware 
https://twitter.com/craiu/status/959477129795731458
 2018-02-05 10:22:40 +01:00
Florian Roth
846f5ad86c OLE LoadSwf CVE 2018-4878 
https://www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/
 2018-02-05 10:20:19 +01:00
Florian Roth
f4a2b51773 Gold Dragon malware 
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
 2018-02-03 18:46:02 +01:00
Florian Roth
f96bd32fe6 Disabled DDEAUTO rule that slowed down scanning 2018-02-03 14:46:15 +01:00
Florian Roth
be02e262b0 Fixed False Postive for Taskmgr on Windows XP 2018-02-02 08:55:33 +01:00
Florian Roth
7c761e0463 Removed APT32 reference > Lotus Blossom 2018-01-31 23:56:02 +01:00
Florian Roth
13534b05c2 Bugfix in Elise rule 2018-01-31 23:27:11 +01:00
Florian Roth
ff7a1e6b99 APT32 Elise malware 
https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
 2018-01-31 23:26:23 +01:00
Florian Roth
75248fad5c Vermin Keylogger and Quasar RAT 
https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
 2018-01-30 11:08:57 +01:00
Florian Roth
8263b51229 TopHat campaign malware YARA rules 
https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/
 2018-01-29 09:00:09 +01:00
Florian Roth
58617146cd Missing import "pe" in Nidiran trojan rules 2018-01-28 17:15:17 +01:00
Florian Roth
97308ea71e Improved Suckfly's Nidiran trojan rules 2018-01-28 17:10:29 +01:00
Florian Roth
37678426bd OilRig RGDoor 2018-01-27 16:06:15 +01:00
Florian Roth
49aa97d855 Bugfix in thor-hacktools.yar > missing "pe" import 2018-01-24 20:17:04 +01:00
Florian Roth
95bd50cd19 Exclude false positives 2018-01-24 16:35:06 +01:00
Florian Roth
fff1af6822 Suspicious strings in OLE object - see reference for details 
https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/
 2018-01-24 12:40:40 +01:00
Florian Roth
a25c4986b8 Dark Caracal Mini RAT 2018-01-23 17:06:33 +01:00
Florian Roth
4bdd487d7f Envrial Credential Stealer 
https://twitter.com/malwrhunterteam/status/953313514629853184
 2018-01-22 08:47:09 +01:00
Florian Roth
321619dc51 OilRig IntelSecurityManager rules by Eyal Sela 2018-01-22 08:46:37 +01:00
Florian Roth
2f53083857 Turla malicious JavaScript 2018-01-22 08:46:03 +01:00
Florian Roth
547f608e81 Unspecified malware sample Jan 18 2018-01-22 08:45:44 +01:00
Florian Roth
5cd31380ef THOR's Mimikatz_Strings rule 2018-01-22 08:45:13 +01:00
Florian Roth
a1627b46f2 False Positive Reduction 2018-01-22 08:44:49 +01:00
Florian Roth
b8b9afb6c9 YARA rule for CVE-2018-0802 by Rich Warren 
https://github.com/rxwx/CVE-2018-0802/tree/master/yara
 2018-01-14 13:49:53 +01:00
Florian Roth
8c28cf612a YARA rule for CVE-2017-11882 by Rich Warren 
https://github.com/rxwx/CVE-2018-0802/tree/master/yara
 2018-01-14 13:49:40 +01:00
Florian Roth
befb06c4a1 North Korean Crypto Miner (by Chris Doman and me) 
https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner
 2018-01-10 08:36:13 +01:00
Florian Roth
721841fe94 Generic CryptoMiner rule 2018-01-05 16:17:38 +01:00
Florian Roth
606079efd0 NetWire RAT 
https://pastebin.com/8qaiyPxs
 2018-01-05 16:17:17 +01:00
Florian Roth
c992aec773 Xmrig XMR / Monero crypto mining software 
https://github.com/xmrig/xmrig
 2018-01-04 13:20:02 +01:00
Florian Roth
1edb995f29 VBS Dropper 2018-01-03 12:26:59 +01:00
Florian Roth
6d9828029b Typo in Merlin rule 2017-12-29 15:15:57 +01:00
Florian Roth
f53a55c21e Merlin Agent 2017-12-29 15:13:55 +01:00
Florian Roth
0ac77c2efb Suspicious recon strings in file 2017-12-28 20:04:31 +01:00
Florian Roth
c778a07e38 RemCom Tool 2017-12-28 20:04:06 +01:00
Florian Roth
d1b0b90886 PowerShell Suite 2017-12-28 20:03:47 +01:00
Florian Roth
65a3a7b230 Hidden Cobra - BANKSHOT rules (my own and UC CERT's) 
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
 2017-12-26 21:14:26 +01:00
Florian Roth
8c39c997bf THOR Armitage rules sub set 2017-12-26 01:09:54 +01:00
Florian Roth
36e6757126 False Positive Reduction 2017-12-26 01:09:41 +01:00
Florian Roth
ecc050d96f Lazarus group malware 
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new
 2017-12-21 15:28:16 +01:00
Florian Roth
9b90d0c68c Invoke-PSImage 
https://github.com/peewpw/Invoke-PSImage
 2017-12-19 16:48:16 +01:00
Florian Roth
0214b89061 Disabled global rule to avoid the application in the concatenated rule set 2017-12-19 01:37:49 +01:00
Florian Roth
e58a67f5ad False Positive Reduction 2017-12-19 01:36:08 +01:00
Florian Roth
33560d9876 HatMan Sigs 
https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware
 2017-12-19 01:35:54 +01:00
Florian Roth
05a203dc7b False Positive Reduction 2017-12-17 23:55:33 +01:00
Florian Roth
ef4e347960 Suspicious Autoit by Microsoft 2017-12-16 15:43:56 +01:00
Florian Roth
fef2d161cc APT Triton rule extended with my own rule 2017-12-16 10:47:55 +01:00
Florian Roth
c101ec5ea0 ICS Attack Framework TRITON 
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
 2017-12-14 16:23:43 +01:00
Florian Roth
2dde4ad69a ZXShell Update 2017-12-12 01:00:22 +01:00
Florian Roth
5f17ceeb5e APT xRAT 
http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/
 2017-12-12 01:00:00 +01:00
Florian Roth
c13e07a8b5 False Positive Reduction 2017-12-12 00:59:36 +01:00
Florian Roth
0e26cdfb37 Chrome file size anomaly false positive 2017-12-08 12:19:45 +01:00
Florian Roth
7d90aa1737 APT34 rules 
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
 2017-12-08 12:19:27 +01:00
Florian Roth
ba3802d816 Universal exploit strings 2017-12-06 22:38:09 +01:00
Florian Roth
80c5113b02 Suspicious JS content 2017-12-06 22:37:57 +01:00
Florian Roth
41e0956fdc Remote Admin - tool 2017-12-06 22:37:40 +01:00
Florian Roth
f34bf9d9c8 Reduced false positives with PowerShell casing anomaly rule 2017-11-30 15:13:36 +01:00
Florian Roth
2f9ac3fe8f UBoatRAT 
https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/
 2017-11-30 15:13:21 +01:00
Florian Roth
500e6c2da2 ROKRAT Update 
http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html
 2017-11-29 16:04:36 +01:00
Florian Roth
beb91736c3 Improved CVE 2017 8759 rule 2017-11-28 10:56:48 +01:00
Florian Roth
eaf9756bc9 Greenbug Malware 2017-11-27 16:55:43 +01:00
Florian Roth
7a9d7b9abd APT Turla Neuron 2017-11-25 00:40:07 +01:00
Florian Roth
dc521f581d Fixed OilRig rule - missing pe module 2017-11-24 13:06:18 +01:00
Florian Roth
a6383df158 CVE-2017-11882 by John Davison 2017-11-23 20:33:58 +01:00
Florian Roth
f8f8193249 Typo in ALFA shell rule 2017-11-22 18:15:00 +01:00
Florian Roth
15cbfd9048 New OilRig signature 
https://twitter.com/ClearskySec/status/933280188733018113
 2017-11-22 18:14:50 +01:00
Florian Roth
f11f0b27c1 Malicious lnk file rule 2017-11-22 16:46:31 +01:00
Florian Roth
8515a0b301 Improved description and added note for known false positives 2017-11-22 13:42:44 +01:00
Florian Roth
30610ff120 Webshell FOPO Obfuscation 2017-11-18 20:04:29 +01:00
Florian Roth
6943c01fc2 Alert (TA17-318B) HIDDEN COBRA – Volgmer 
https://www.us-cert.gov/ncas/alerts/TA17-318B
 2017-11-15 21:45:49 +01:00
Florian Roth
b7621bcb99 Alert (TA17-318A) HIDDEN COBRA – FALLCHILL 
https://www.us-cert.gov/ncas/alerts/TA17-318A
 2017-11-15 21:45:10 +01:00
Florian Roth
b187609d40 Reaver and SunOrcal malware 
https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/
 2017-11-12 15:13:38 +01:00
Florian Roth
55868b5eff False Positive Reduction 2017-11-08 18:39:40 +01:00
Florian Roth
5bd15e9651 Bronze Butler Daserf malware 2017-11-08 12:52:38 +01:00
Florian Roth
3795d702b3 CrunchRAT 
https://github.com/t3ntman/CrunchRAT
 2017-11-04 01:57:05 +01:00
Florian Roth
be700a3c42 PowerShell Obfuscated Invoke - PE Loader 2017-11-03 08:28:52 +01:00
Florian Roth
b6522edf1f KeyBoys malware 
http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html
 2017-11-03 08:28:16 +01:00
Florian Roth
f33f0140eb Silence malware 
https://securelist.com/the-silence/83009/
 2017-11-02 09:07:58 +01:00
Florian Roth
6d85ad4e2e Missing "pe" module import in Kasper rule 2017-10-31 12:11:27 +01:00
Florian Roth
1e22089eee Missing "pe" module import in APT28 rule 2017-10-31 11:29:48 +01:00
Florian Roth
8ffdc4c43c Kasper malware update 2017-10-31 10:44:39 +01:00
Florian Roth
49ce0546e9 APT Sofacy Hospitality report malware by CSECybsec 
http://csecybsec.com/download/zlab/APT28_Hospitality_Malware_report.pdf
 2017-10-31 10:44:17 +01:00
Florian Roth
c83cf1a6ed Improved DDE in Office documents rules by NVISO Labs 2017-10-25 23:44:30 +02:00
Florian Roth
957ac24585 BadRabbit ransomware 2017-10-25 08:57:00 +02:00
Florian Roth
e2e253c2f2 APT28 / Sofacy malware 
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
 2017-10-23 16:56:32 +02:00
Florian Roth
b542e0635c Cleanup 2017-10-23 16:54:53 +02:00
Florian Roth
81e2977704 False Positive Reduction 2017-10-23 16:54:34 +02:00
Florian Roth
3947d5adfd Changed wording after quality checks 2017-10-21 19:56:50 +02:00
Florian Roth
bce45632c9 US-CERT TA17-293A - modified YARA rule set 
https://www.us-cert.gov/ncas/alerts/TA17-293A
 2017-10-21 19:53:02 +02:00
Florian Roth
c9a9932b7b Bad Patch report YARA signatures 
https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/
 2017-10-21 16:27:18 +02:00
Florian Roth
43d5b1737f Bugfix in Puppy RAT rule 2017-10-20 09:54:59 +02:00
Florian Roth
8e01421bc4 Leviathan APT - Maritime and Defense Targets 
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
 2017-10-19 09:34:07 +02:00
Florian Roth
32fe1a4906 OilRig YARA rules derived from PaloAltoNetwork reports Sep/Oct 17 2017-10-19 09:29:59 +02:00
Florian Roth
1f8312fad0 Replaced non-ASCII character 2017-10-19 01:17:59 +02:00
Florian Roth
8da0b76701 False Positive Reduction - apply to files only (not memory) 2017-10-18 21:58:57 +02:00
Florian Roth
6f3e4bd79c Activate pe.imphash() expressions in my rules 2017-10-18 21:58:30 +02:00
Florian Roth
2ffd97c1d9 HKDoor Rules by Cylance Inc. 
https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html
 2017-10-18 21:57:37 +02:00
Florian Roth
ae643f78d9 FEIB Report - by BEA systems 
https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html
 2017-10-17 08:31:59 +02:00
Florian Roth
8c994452c4 Improved Reflective Loaders Rule 2017-10-15 10:53:06 +02:00
Florian Roth
04b278d87b Bronze Butler malware 
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
 2017-10-15 10:52:49 +02:00
Florian Roth
568aa89d4f PowerShell Casing Anomaly Adjustments 2017-10-14 23:00:13 +02:00
Florian Roth
3f27b85df6 False Positive Reduction 2017-10-14 12:59:00 +02:00
Florian Roth
430b1b88a2 Saudi Aramco Phishing campaign malware 2017-10-12 09:15:20 +02:00
Florian Roth
96d9ba4858 Results for the DDEAUTO rules are much better 2017-10-11 20:58:16 +02:00
Florian Roth
d3f19e9bf4 Too many false positives 2017-10-11 20:46:16 +02:00
Florian Roth
dca5a3dcf7 Missing PE module imports, minor changes 2017-10-11 18:43:19 +02:00
Florian Roth
ae9f920a2a Reduced score due to possible false positives 2017-10-11 16:21:43 +02:00
Florian Roth
364da99da5 Decting DDE in Office Docs - Sigs by NVISO Labs 
https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
 2017-10-11 14:10:38 +02:00
Florian Roth
adf95a4396 Combined PS Anomaly rules to a single rule 2017-10-11 10:37:33 +02:00
Florian Roth
30f2d84d53 PS Anomaly - New version missed other positives / including both versions 2017-10-11 10:13:10 +02:00
Florian Roth
12ea6bc9bf Backdoor Snarasite 2017-10-08 00:14:03 +02:00
Florian Roth
3aad0049ec Backdoor Banker Corkow 
https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf
 2017-10-08 00:13:52 +02:00
Florian Roth
5c889db4a9 FreeMilk YARA rules bugfix - thx to M. Selck 2017-10-06 23:54:13 +02:00
Florian Roth
97c97a803c Uncommon size adjustments for new Win10 files 2017-10-06 10:19:51 +02:00
Florian Roth
dbec537768 FreeMilk APT - Palo Alto Networks Report 
https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/
 2017-10-05 20:42:55 +02:00
Florian Roth
3560d720f7 URL file pointing to local EXE 2017-10-04 14:42:34 +02:00
Florian Roth
f44c9b9fcb PowerShell improved casing anomaly rule, WScript anomaly rule 2017-10-03 19:36:54 +02:00
Florian Roth
354ea043bb Hacktool RedSails 
https://github.com/BeetleChunks/redsails
 2017-10-03 19:36:17 +02:00
Florian Roth
3ea15953b9 WinDivert Driver - PUA: User mode packet capturing driver 2017-10-03 19:35:49 +02:00
Florian Roth
2b6cc72f64 CMSTAR Malware 
https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/
 2017-10-03 19:35:15 +02:00
Florian Roth
8574935d17 APT17 Malware September 2017 
http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/
 2017-10-03 19:34:53 +02:00
Florian Roth
1d8093a9de New suspicious PowerShell scripts 2017-10-01 00:24:31 +02:00
Florian Roth
8b3a138995 Minor changes to rule FP exclusions 2017-09-29 08:47:22 +02:00
Florian Roth
f15d1fef2a Xtreme RAT Sigs 2017-09-29 08:46:42 +02:00
Florian Roth
ae82dd03a8 False Positive Reduction 2017-09-27 16:35:14 +02:00
Florian Roth
c5737c7c37 Microcin YARA rules 
derived from samples in report https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf
 2017-09-27 16:34:34 +02:00
Florian Roth
78ff581ede Removed false positive rule 2017-09-27 16:34:24 +02:00
Florian Roth
558c99efc0 Invoke-Metasploit 2017-09-24 10:22:19 +02:00
Florian Roth
5226344c35 Sharpire 2017-09-24 10:22:09 +02:00
Florian Roth
dde5dd8bce Webshell Alfa Shell 2017-09-22 08:44:03 +02:00
Florian Roth
b0e79303e0 False Positive Reduction 2017-09-21 08:36:25 +02:00
Florian Roth
bf93fe559b Improved Exploits CVE-2017-8759 2017-09-16 08:34:51 +02:00
Florian Roth
a2f765d1da Corrected wording 2017-09-15 20:25:23 +02:00
Florian Roth
cb99556460 Exploits CVE-2017-8759 2017-09-15 20:23:51 +02:00
Florian Roth
244a922e70 False Positive Reduction 2017-09-15 11:30:03 +02:00
Florian Roth
81fc855b66 False Positive Reduction 2017-09-13 10:45:55 +02:00
Florian Roth
ae5e596f68 DragonFly APT 2017-09-12 08:22:07 +02:00
Florian Roth
2466c47263 PowerShell Case Anomalies 2017-09-12 00:19:38 +02:00
Florian Roth
5206ded7d1 False Positive Reduction 2017-09-12 00:19:09 +02:00
Florian Roth
da83b52200 Rehashed RAT 2017-09-10 00:29:29 +02:00
Florian Roth
85e98c2c1f Monsoon APT 2017-09-10 00:29:17 +02:00
Florian Roth
89e8fd8fcb Revenge RAT 2017-09-05 10:42:59 +02:00
Florian Roth
40d6afcc13 APT Turla Gazer 
https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
 2017-09-02 08:26:07 +02:00
Florian Roth
8077fe850d KHRAT malware update with scripts 2017-09-01 09:12:45 +02:00