valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Signature base for my scanner tools
1,309 Commits 2 Branches 1 Tag 33 MiB
YARA 99%
Python 1%
8f4cfc2196
Go to file
Arnim Rupp 8f4cfc2196 Update gen_github_net_redteam_tools_guids.yara 
rule HKTL_NET_GUID_Manager {
rule HKTL_NET_GUID_neo_ConfuserEx {
rule HKTL_NET_GUID_SharpAllowedToAct {
rule HKTL_NET_GUID_SuperSQLInjectionV1 {
rule HKTL_NET_GUID_ADSearch {
rule HKTL_NET_GUID_privilege_escalation_awesome_scripts_suite {
rule HKTL_NET_GUID_CVE_2020_1206_POC {
rule HKTL_NET_GUID_DInvoke {
rule HKTL_NET_GUID_SharpChisel {
rule HKTL_NET_GUID_SharpScribbles {
rule HKTL_NET_GUID_SharpReg {
rule HKTL_NET_GUID_MemeVM {
rule HKTL_NET_GUID_SharpDir {
rule HKTL_NET_GUID_AtYourService {
rule HKTL_NET_GUID_LockLess {
rule HKTL_NET_GUID_EasyNet {
rule HKTL_NET_GUID_SharpByeBear {
rule HKTL_NET_GUID_SharpHide {
rule HKTL_NET_GUID_SharpSvc {
rule HKTL_NET_GUID_SharpCrashEventLog {
rule HKTL_NET_GUID_DotNetToJScript_LanguageModeBreakout {
rule HKTL_NET_GUID_SharPermission {
rule HKTL_NET_GUID_RegistryStrikesBack {
rule HKTL_NET_GUID_CloneVault {
rule HKTL_NET_GUID_donut {
rule HKTL_NET_GUID_SharpHandler {
rule HKTL_NET_GUID_Driver_Template {
rule HKTL_NET_GUID_NashaVM {
2021-01-21 23:25:30 +01:00
iocs filename IOC FPs 2021-01-04 16:55:44 +01:00
misc add solarwinds credential stealer + PHPs <?= to filetypes 2021-01-20 19:45:10 +01:00
threatintel Update MISP threat intel 2020-11-08 12:02:35 +01:00
vendor/yara fix: FPs with rule on memory 2020-05-05 19:47:48 +02:00
yara Update gen_github_net_redteam_tools_guids.yara 2021-01-21 23:25:30 +01:00
_config.yml Set theme jekyll-theme-slate 2018-08-26 12:04:25 +02:00
.gitignore .gitignore update 2019-02-02 17:14:44 +01:00
.travis.yml Travis CI build notifications only on changes 2019-01-13 09:39:01 +01:00
.yara-ci.yml YARA CI Config 2020-11-24 09:47:23 +01:00
build-rules.py Python 3 support in build script 2018-01-24 20:26:34 +01:00
LICENSE Creative Commons BY-NC 4.0 International License 2018-08-26 12:11:44 +02:00
makefile Signature base rules CSV update 2019-02-07 09:51:20 +01:00
README.md Update README.md 2020-12-12 12:11:31 +01:00
sig-base-rules.csv docs: sig-base-rules.csv 2019-04-06 19:35:41 +02:00

README.md

Build Status

Signature-Base

Signature-Base is the YARA signature and IOC database for our scanners LOKI and THOR Lite

Focus of Signature-Base

  1. High quality YARA rules and IOCs with minimal false positives
  2. Clear structure
  3. Consistent rule format

Directory Structure

  • iocs - Simple IOC files (CSV)
  • yara - YARA rules
  • threatintel - Threat Intel API Receiver (MISP, OTX)
  • misc - Other input files (not IOCs or signatures)

External Variables in YARA Rules

Using the YARA rules in a tool other than LOKI or THOR Lite will cause errors stating an undefined identifier. The rules that make use of external variables have been moved to the following 4 rule set files:

  • ./yara/generic_anomalies.yar
  • ./yara/general_cloaking.yar
  • ./yara/thor_inverse_matches.yar
  • ./yara/yara_mixed_ext_vars.yar

High Quality YARA Rules Feed

If you liked my rules, please check our commercial rule set and rule feed service, which contains better and 20 times the number of rules.

FAQs

How can I report false positives?

Use the issues section of this repository.

How can I provide a YARA rule or IOCs?

I accept pull requests. See this thread for some help on how to create such a request.

What are the differences between THOR Lite and LOKI?

See our comparison table here.

License

Creative Commons License

All signatures and IOC files in this repository, except the YARA rules created by 3rd parties, are licensed under the Creative Commons Attribution-NonCommercial 4.0 International License.

The license of this repository changed in August 2018. All forks or copies of this repository that were created before August 26th of 2018 are licensed under GPL 3.0. you can find the last GPL version in the release section.