Florian Roth
ca7f252dc0
False Positive Reduction
2019-01-17 13:12:39 +01:00
Florian Roth
c0b0167e7b
That's great
2019-01-16 19:29:40 +01:00
Florian Roth
e1262a718e
I'd adjust it like that
2019-01-16 19:27:29 +01:00
Jeff Beley
3fa7540094
Added rules for a tiny webshell and a go based htran variant
2019-01-16 10:58:25 -06:00
Florian Roth
32182ab8ff
Nitol Malware
2019-01-14 11:20:18 +01:00
Florian Roth
6d0e6bc997
Update gen_bad_pdf.yar
2019-01-10 11:28:31 +01:00
Clément Notin
a61ab94eff
gen_bad_pdf.yar: fix detection of Metasploit generated files
2019-01-10 10:49:55 +01:00
John Lambert
0de78e6654
Create gen_macro_ShellExecute_action.yar
...
Rule finds VBA macro samples that use the ShellExecute "evasion" method specified in the tweet mentioned in the rule.
2019-01-08 12:22:19 -08:00
Florian Roth
4349f58d37
Score adjustments
2019-01-08 09:18:54 +01:00
Florian Roth
9a0e7a44fb
Cryp RAT
2019-01-08 09:18:45 +01:00
Florian Roth
7216c088b0
JAVA class with VBS content
2019-01-07 13:28:06 +01:00
Florian Roth
6d9577a703
Putty anormal file sizes
2019-01-07 13:27:31 +01:00
Florian Roth
03f109c14e
Improved script obfuscation rule
2019-01-03 11:04:14 +01:00
Florian Roth
9eec73061a
APT28 Zebrocy Golang Loader by @VK_Intel
...
https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html
2019-01-02 09:19:09 +01:00
Florian Roth
d26a5045d9
Ryuk Ransomware
2018-12-31 14:56:56 +01:00
Florian Roth
2fb2bd2481
fix: removed duplicate rule
2018-12-29 17:00:19 +01:00
Florian Roth
b6920c0d0c
Moved NK miner to generic list
2018-12-29 09:31:57 +01:00
Florian Roth
82a91c8d6c
Update on crypto coin miner
2018-12-29 09:31:14 +01:00
Florian Roth
819c4f2ac5
fix: missing "pe" import
2018-12-29 09:20:24 +01:00
Florian Roth
0b96d7131d
APT10 rule update with imphash rule
2018-12-29 09:17:56 +01:00
Florian Roth
900796dcdf
Hacktool NoPowerShell
2018-12-28 14:57:03 +01:00
Florian Roth
046b5736d0
YARA rule description cleanup
2018-12-28 12:38:31 +01:00
Florian Roth
cf85a7cd31
YARA rule svchosts
2018-12-22 09:12:34 +01:00
Florian Roth
72eaa194ae
Area1 Phishing Diplomacy Rules
2018-12-19 19:17:51 +01:00
Florian Roth
f73324aa1a
Minor adjustments in gen_malware_MacOS_plist_suspicious rule
2018-12-16 10:10:42 +01:00
John Lambert
bd8185482f
Detect suspicious MacOS launch agent config files
...
plist files contain configuration for user-specific background jobs in OSX. Malware abuses this feature for persistence. Coin miners have been seen to use this feature as well.
2018-12-14 13:55:31 -08:00
Florian Roth
13b238f39f
Fixed character formatting to wide in SUSP_Scheduled_Task_BigSize
2018-12-14 08:58:10 +01:00
Florian Roth
1b959e2a3b
False Positives on Exchange with SUSP_Scheduled_Task_BigSize
2018-12-14 08:55:48 +01:00
Florian Roth
e4dd8c610c
Fixed some dates
2018-12-14 08:55:27 +01:00
Florian Roth
e118b0c92e
Rule: Powershell Obfuscation
2018-12-13 14:25:01 +01:00
Florian Roth
826446a785
Low scoring rule: Anomaly - Linux UPX compressed binaries
2018-12-13 14:24:41 +01:00
Florian Roth
ab5ac55a1b
New HawkEye keylogger rule
2018-12-12 09:24:12 +01:00
Florian Roth
a22874af46
Lazagne Password Dumper
2018-12-11 15:12:42 +01:00
Florian Roth
80a090685d
False Positive Reduction and Cleanup
2018-12-11 15:08:39 +01:00
Florian Roth
9d38c8f4b3
Suspicious Scheduled Task BigSize
2018-12-07 08:20:44 +01:00
Florian Roth
2ed2af38f8
Suspicious Pirated Office 2007
2018-12-07 08:20:31 +01:00
Florian Roth
73bfc659da
fix: bugfix in SSHDoor rule - missing "and"
2018-12-05 21:03:24 +01:00
Florian Roth
a2c2478527
Limited SSHDoor rule to ELF to avoid false positives
2018-12-05 21:00:25 +01:00
Florian Roth
63010d1954
Linux/SSHDoor - Triton related by ESET - modified version
...
https://github.com/eset/malware-ioc/tree/master/sshdoor
2018-12-05 20:58:02 +01:00
Florian Roth
0a3567621b
fix: bugfix in generic_anomalies rule
2018-12-01 13:32:26 +01:00
Florian Roth
9291c8c9a1
fix: bugfix in general_anomalies.yar rule
2018-12-01 13:02:18 +01:00
Florian Roth
8cd247169a
False Positive Reduction
2018-12-01 08:33:33 +01:00
Florian Roth
3d1088575d
DNSPIONAGE
...
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
2018-12-01 08:33:20 +01:00
Florian Roth
db9ea97d62
fix: missing pe import
2018-11-23 08:38:19 +01:00
Florian Roth
8a22d4d403
Removed duplicate rules
2018-11-23 08:33:07 +01:00
Florian Roth
9d1848627d
Removed duplicate rules
2018-11-23 08:32:57 +01:00
Florian Roth
0f6acf4674
Turla PNG dropper
...
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
2018-11-23 08:32:10 +01:00
Florian Roth
16e70f3d2e
APT28 Cannon Trojan
2018-11-21 21:29:31 +01:00
Florian Roth
79f9a0fb4c
Suspicious Office Droppers
2018-11-21 11:18:05 +01:00
Florian Roth
1b0fc045a4
Added David to the authors
2018-11-15 17:25:58 +01:00