Task Information
Task ID: 62e2f563-02a4-11ed-9250-42010aa4000b File name: Github Neo23x0_signature-base APT.yar Task parameters: ClamAV scan: True Unpack: True Share file: True
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
YARA Results
The following YARA rules matched on the file (static analysis).
Rule name: _Bitchin_Threads_
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file =Bitchin Threads=.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: _FsHttp_FsPop_FsSniffer
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: AlienSpy
Author: Fidelis Cybersecurity Description: AlienSpy Reference: Fidelis Threat Advisory #1015 - Ratting on AlienSpy - Apr 08, 2015 TLP: TLP:WHITE Repository: fideliscyber
Rule name: Ammyy_Admin_AA_v3
Author: Florian Roth Description: Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe Reference: http://goo.gl/gkAg2E TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT28_drovorub_unique_network_comms_strings
Author: NSA / FBI Description: Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based Reference: https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT28_Win_FreshFire
Author: threatintel@volexity.com Description: The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server. Reference: https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ TLP: TLP:WHITE
Rule name: APT_APT29_NOBELIUM_BoomBox_May21_1
Author: Florian Roth Description: Detects BoomBox malware as described in APT29 NOBELIUM report Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT29_NOBELIUM_BoomBox_May21_1_RID31ED
Author: Florian Roth Description: Detects BoomBox malware as described in APT29 NOBELIUM report Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ TLP: TLP:WHITE
Rule name: APT_APT29_NOBELIUM_JS_EnvyScout_May21_1
Author: Florian Roth Description: Detects EnvyScout deobfuscator code as used by NOBELIUM group Reference: https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT29_NOBELIUM_JS_EnvyScout_May21_1_RID33E3
Author: Florian Roth Description: Detects EnvyScout deobfuscator code as used by NOBELIUM group Reference: https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ TLP: TLP:WHITE
Rule name: APT_APT29_NOBELIUM_LNK_NV_Link_May21_2
Author: Florian Roth Description: Detects NV Link as used by NOBELIUM group Reference: https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT29_NOBELIUM_LNK_NV_Link_May21_2_RID330D
Author: Florian Roth Description: Detects NV Link as used by NOBELIUM group Reference: https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ TLP: TLP:WHITE
Rule name: APT_APT29_NOBELIUM_Stageless_Loader_May21_2
Author: Florian Roth Description: Detects stageless loader as used by APT29 / NOBELIUM Reference: https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT29_Win_FlipFlop_LDR
Author: threatintel@volexity.com Description: A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload. Reference: https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ TLP: TLP:WHITE
Rule name: APT_APT34_PS_Malware_Apr19_1
Author: Florian Roth Description: Detects APT34 PowerShell malware Reference: https://twitter.com/0xffff0800/status/1118406371165126656 TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT34_PS_Malware_Apr19_1_RID3047
Author: Florian Roth Description: Detects APT34 PowerShell malware Reference: https://twitter.com/0xffff0800/status/1118406371165126656 TLP: TLP:WHITE
Rule name: APT_APT34_PS_Malware_Apr19_3
Author: Florian Roth Description: Detects APT34 PowerShell malware Reference: https://twitter.com/0xffff0800/status/1118406371165126656 TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT34_PS_Malware_Apr19_3_RID3049
Author: Florian Roth Description: Detects APT34 PowerShell malware Reference: https://twitter.com/0xffff0800/status/1118406371165126656 TLP: TLP:WHITE
Rule name: APT_APT41_CN_ELF_Speculoos_Backdoor
Author: Florian Roth Description: Detects Speculoos Backdoor used by APT41 Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_APT41_CN_ELF_Speculoos_Backdoor_RID3365
Author: Florian Roth Description: Detects Speculoos Backdoor used by APT41 Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/ TLP: TLP:WHITE
Rule name: APT_Backdoor_Win_GoRat_Memory
Author: FireEye Description: Identifies GoRat malware in memory based on strings. Reference: https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_Builder_PY_REDFLARE_1
Author: FireEye Description: Detects FireEye's Python Redflar Reference: https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_EQGRP_BananaAid_RID2D82
Author: Florian Roth Description: EQGRP Toolset Firewall - file BananaAid Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_BARPUNCH_BPICKER_RID2EE5
Author: Florian Roth Description: EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100 Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_BBALL_RID2B90
Author: Florian Roth Description: EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_BFLEA_2201_RID2CB1
Author: Florian Roth Description: EQGRP Toolset Firewall - file BFLEA-2201.exe Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_BICECREAM_RID2CAE
Author: Florian Roth Description: EQGRP Toolset Firewall - file BICECREAM-2140 Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_BLIAR_BLIQUER_RID2E10
Author: Florian Roth Description: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230 Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_callbacks_RID2DD3
Author: Florian Roth Description: EQGRP Toolset Firewall - Callback addresses Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_config_jp1_UA_RID2F08
Author: Florian Roth Description: EQGRP Toolset Firewall - file config_jp1_UA.pl Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_EPBA_RID2B4B
Author: Florian Roth Description: EQGRP Toolset Firewall - file EPBA.script Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_extrabacon_RID2E5A
Author: Florian Roth Description: EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_Implants_Gen1_RID2F25
Author: Florian Roth Description: EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, lpexe, writeJetPlow-2130 Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_Implants_Gen2_RID2F26
Author: Florian Roth Description: EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, writeJetPlow-2130 Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_Implants_Gen3_RID2F27
Author: Florian Roth Description: EQGRP Toolset Firewall - from files BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100 Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_Implants_Gen4_RID2F28
Author: Florian Roth Description: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120 Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_Implants_Gen5_RID2F29
Author: Florian Roth Description: EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130 Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_jetplow_SH_RID2E32
Author: Florian Roth Description: EQGRP Toolset Firewall - file jetplow.sh Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_MixText_RID2D06
Author: Florian Roth Description: EQGRP Toolset Firewall - file MixText.py Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_pandarock_RID2DE6
Author: Florian Roth Description: EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_payload_RID2D1D
Author: Florian Roth Description: EQGRP Toolset Firewall - file payload.py Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_screamingplow_RID2FAE
Author: Florian Roth Description: EQGRP Toolset Firewall - file screamingplow.sh Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_sploit_py_RID2E16
Author: Florian Roth Description: EQGRP Toolset Firewall - file sploit.py Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_sploit_RID2CCE
Author: Florian Roth Description: EQGRP Toolset Firewall - from files sploit.py, sploit.py Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_ssh_telnet_29_RID2F36
Author: Florian Roth Description: EQGRP Toolset Firewall - from files ssh.py, telnet.py Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_StoreFc_RID2CE9
Author: Florian Roth Description: EQGRP Toolset Firewall - file StoreFc.py Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_tinyhttp_setup_RID3047
Author: Florian Roth Description: EQGRP Toolset Firewall - file tinyhttp_setup.sh Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_uninstallPBD_RID2EE3
Author: Florian Roth Description: EQGRP Toolset Firewall - file uninstallPBD.bat Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_userscript_RID2E87
Author: Florian Roth Description: EQGRP Toolset Firewall - file userscript.FW Reference: Research TLP: TLP:WHITE
Rule name: APT_EQGRP_workit_RID2CD3
Author: Florian Roth Description: EQGRP Toolset Firewall - file workit.py Reference: Research TLP: TLP:WHITE
Rule name: APT_FIN7_Strings_Aug18_1
Author: Florian Roth Description: Detects strings from FIN7 report in August 2018 Reference: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: APT_FIN7_Strings_Aug18_1_RID2F27
Author: Florian Roth Description: Detects strings from FIN7 report in August 2018 Reference: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html TLP: TLP:WHITE
Rule name: APT_HAFNIUM_Forensic_Artefacts_Mar21_1
Author: Florian Roth Description: Detects forensic artefacts found in HAFNIUM intrusions Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_HAFNIUM_Forensic_Artefacts_Mar21_1_RID3463
Author: Florian Roth Description: Detects forensic artefacts found in HAFNIUM intrusions Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ TLP: TLP:WHITE
Rule name: APT_Liudoor
Author: RSA FirstWatch Description: Detects Liudoor daemon backdoor TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_Agent_Csharp
Author: Fox-IT SRT Description: Strings from CSharp version of Agent Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_agent_powershell_b64encoded
Author: Fox-IT SRT Description: Piece of Base64 encoded data from Agent CSharp version Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_agent_powershell_dropper
Author: Fox-IT SRT Description: Strings from PowerShell dropper of CSharp version of Agent Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_agent_py
Author: Fox-IT SRT Description: Strings from Python version of Agent Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_agent_py_b64encoded
Author: Fox-IT SRT Description: Piece of Base64 encoded data from Agent Python version Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_checkadmin_bin
Author: Fox-IT SRT Description: Checkadmin utility Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_getos_py
Author: Fox-IT SRT Description: Python getos utility Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_info_vbs
Author: Fox-IT SRT Description: Strings from the information grabber VBS Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_injector_bin
Author: Fox-IT SRT Description: Process injector/launcher Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_keylogger_py
Author: Fox-IT SRT Description: Strings from Python keylogger Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_timeliner_bin
Author: Fox-IT SRT Description: Timeliner utility Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_webshell_console_jsp
Author: Fox-IT SRT Description: Strings from the console.jsp webshell Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_webshell_ver_jsp
Author: Fox-IT SRT Description: Strings from the ver.jsp webshell Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_webshell_webinfo
Author: Fox-IT SRT Description: Generic strings from webinfo.war webshells Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_xserver_csharp
Author: Fox-IT SRT Description: Strings from the CSharp version of XServer Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_xserver_powershell_b64encoded
Author: Fox-IT SRT Description: Piece of Base64 encoded data from the XServer PowerShell dropper Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_CN_Wocao_xserver_powershell_dropper
Author: Fox-IT SRT Description: Strings from the PowerShell dropper of XServer Reference: https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_DTRACK_Oct19_1
Author: Florian Roth Description: Detects DTRACK malware Reference: https://twitter.com/a_tweeter_user/status/1188811977851887616?s=21 TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_HP_iLO_Firmware_Dec21_1
Author: Florian Roth Description: Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021 Reference: https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3
Author: Florian Roth Description: Detects BPFDoor implants used by Chinese actor Red Menshen Reference: https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_Sandworm_Exaramel_Configuration_Key
Author: FR/ANSSI/SDO Description: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...] Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_Sandworm_Exaramel_Configuration_Name_Encrypted
Author: FR/ANSSI/SDO Description: Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...] Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_Sandworm_Exaramel_Socket_Path
Author: FR/ANSSI/SDO Description: Detects path of the unix socket created to prevent concurrent executions in Exaramel malware Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_Sandworm_Exaramel_Strings
Author: FR/ANSSI/SDO (composed from 4 saparate rules by Florian Roth) Description: Detects Strings used by Exaramel malware Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_Sandworm_Exaramel_Task_Names
Author: FR/ANSSI/SDO Description: Detects names of the tasks received from the CC server in Exaramel malware Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_MAL_Win_BlueLight_B
Author: threatintel@volexity.com Description: North Korean origin malware which uses a custom Google App for c2 communications. Reference: https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/ TLP: TLP:WHITE
Rule name: APT_Malware_PutterPanda_Rel
Author: Florian Roth Description: Detects an APT malware related to PutterPanda Reference: VT Analysis TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_Project_Sauron_arping_module
Author: Florian Roth Description: Detects strings from arping module - Project Sauron report by Kaspersky Reference: https://goo.gl/eFoP4A TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_Project_Sauron_arping_module_RID33C8
Author: Florian Roth Description: Detects strings from arping module - Project Sauron report by Kaspersky Reference: https://goo.gl/eFoP4A TLP: TLP:WHITE
Rule name: APT_Project_Sauron_basex_module
Author: Florian Roth Description: Detects strings from basex module - Project Sauron report by Kaspersky Reference: https://goo.gl/eFoP4A TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_Project_Sauron_basex_module_RID335A
Author: Florian Roth Description: Detects strings from basex module - Project Sauron report by Kaspersky Reference: https://goo.gl/eFoP4A TLP: TLP:WHITE
Rule name: APT_Project_Sauron_dext_module
Author: Florian Roth Description: Detects strings from dext module - Project Sauron report by Kaspersky Reference: https://goo.gl/eFoP4A TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_Project_Sauron_dext_module_RID32FC
Author: Florian Roth Description: Detects strings from dext module - Project Sauron report by Kaspersky Reference: https://goo.gl/eFoP4A TLP: TLP:WHITE
Rule name: APT_Project_Sauron_kblogi_module
Author: Florian Roth Description: Detects strings from kblogi module - Project Sauron report by Kaspersky Reference: https://goo.gl/eFoP4A TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_Project_Sauron_kblogi_module_RID33BF
Author: Florian Roth Description: Detects strings from kblogi module - Project Sauron report by Kaspersky Reference: https://goo.gl/eFoP4A TLP: TLP:WHITE
Rule name: APT_Project_Sauron_Scripts
Author: Florian Roth Description: Detects scripts (mostly LUA) from Project Sauron report by Kaspersky Reference: https://goo.gl/eFoP4A TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_PupyRAT_PY
Author: Florian Roth Description: Detects Pupy RAT Reference: https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_PupyRAT_PY_RID2BF2
Author: Florian Roth Description: Detects Pupy RAT Reference: https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations TLP: TLP:WHITE
Rule name: apt_RU_MoonlightMaze_cle_tool
Author: Kaspersky Lab Description: Rule to detect Moonlight Maze 'cle' log cleaning tool Reference: https://en.wikipedia.org/wiki/Moonlight_Maze TLP: TLP:WHITE Repository: Neo23x0
Rule name: apt_RU_MoonlightMaze_customlokitools
Author: Kaspersky Lab Description: Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings Reference: https://en.wikipedia.org/wiki/Moonlight_Maze TLP: TLP:WHITE Repository: Neo23x0
Rule name: apt_RU_MoonlightMaze_customsniffer
Author: Kaspersky Lab Description: Rule to detect Moonlight Maze sniffer tools Reference: https://en.wikipedia.org/wiki/Moonlight_Maze TLP: TLP:WHITE Repository: Neo23x0
Rule name: apt_RU_MoonlightMaze_de_tool
Author: Kaspersky Lab Description: Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool Reference: https://en.wikipedia.org/wiki/Moonlight_Maze TLP: TLP:WHITE Repository: Neo23x0
Rule name: apt_RU_MoonlightMaze_xk_keylogger
Author: Kaspersky Lab Description: Rule to detect Moonlight Maze 'xk' keylogger Reference: https://en.wikipedia.org/wiki/Moonlight_Maze TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_RU_Sandworm_PY_May20_1
Author: Florian Roth Description: Detects Sandworm Python loader Reference: https://twitter.com/billyleonard/status/1266054881225236482 TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_RU_Sandworm_PY_May20_1_RID3026
Author: Florian Roth Description: Detects Sandworm Python loader Reference: https://twitter.com/billyleonard/status/1266054881225236482 TLP: TLP:WHITE
Rule name: APT_RUBY_RokRat_Loader
Author: threatintel@volexity.com Description: Ruby loader seen loading the ROKRAT malware family. Reference: https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/ TLP: TLP:WHITE
Rule name: APT_Sandworm_Keywords_May20_1
Author: Florian Roth Description: Detects commands used by Sandworm group to exploit critical vulernability CVE-2019-10149 in Exim Reference: https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_Sandworm_Keywords_May20_1_RID31CF
Author: Florian Roth Description: Detects commands used by Sandworm group to exploit critical vulernability CVE-2019-10149 in Exim Reference: https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf TLP: TLP:WHITE
Rule name: APT_SH_Sandworm_Shell_Script_May20_1
Author: Florian Roth Description: Detects shell script used by Sandworm in attack against Exim mail server Reference: https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_SH_Sandworm_Shell_Script_May20_1_RID343D
Author: Florian Roth Description: Detects shell script used by Sandworm in attack against Exim mail server Reference: https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf TLP: TLP:WHITE
Rule name: APT_UA_Hermetic_Wiper_Artefacts_Feb22_1
Author: Florian Roth Description: Detects artefacts found in Hermetic Wiper malware related intrusions Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1
Author: Florian Roth Description: Detects scheduled task pattern found in Hermetic Wiper malware related intrusions Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_UNC2447_MAL_SOMBRAT_May21_1
Author: Florian Roth Description: Detects SombRAT samples from UNC2447 campaign Reference: https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_UNC2447_MAL_SOMBRAT_May21_1_RID3035
Author: Florian Roth Description: Detects SombRAT samples from UNC2447 campaign Reference: https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html TLP: TLP:WHITE
Rule name: APT_UNC2447_PS1_WARPRISM_May21_1
Author: Florian Roth Description: Detects WARPRISM PowerShell samples from UNC2447 campaign Reference: https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT_UNC2447_PS1_WARPRISM_May21_1_RID308C
Author: Florian Roth Description: Detects WARPRISM PowerShell samples from UNC2447 campaign Reference: https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html TLP: TLP:WHITE
Rule name: APT10_Malware_Sample_Gen
Author: Florian Roth Description: APT 10 / Cloud Hopper malware campaign Reference: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT6_Malware_Sample_Gen
Author: Florian Roth Description: Rule written for 2 malware samples that communicated to APT6 C2 servers Reference: https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: APT6_Malware_Sample_Gen_RID2F8E
Author: Florian Roth Description: Rule written for 2 malware samples that communicated to APT6 C2 servers Reference: https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/ TLP: TLP:WHITE
Rule name: Armitage_OSX
Author: Florian Roth Description: Detects Armitage component Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Armitage_OSX_RID2B94
Author: Florian Roth Description: Detects Armitage component Reference: Internal Research TLP: TLP:WHITE
Rule name: ArtTrayHookDll
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: ASPack_Chinese
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file ASPack Chinese.ini TLP: TLP:WHITE Repository: Neo23x0
Rule name: Backdoor_Redosdru_Jun17
Author: Florian Roth Description: Detects malware Redosdru - file systemHome.exe Reference: https://goo.gl/OOB3mH TLP: TLP:WHITE Repository: Neo23x0
Rule name: Backdoor_Redosdru_Jun17_RID2FD1
Author: Florian Roth Description: Detects malware Redosdru - file systemHome.exe Reference: https://goo.gl/OOB3mH TLP: TLP:WHITE
Rule name: Base64_PS1_Shellcode
Author: Nick Carr, David Ledbetter Description: Detects Base64 encoded PS1 Shellcode Reference: https://twitter.com/ItsReallyNick/status/1062601684566843392 TLP: TLP:WHITE Repository: Neo23x0
Rule name: Batch_Powershell_Invoke_Inveigh
Author: NCSC Description: Detects malicious batch file from NCSC report Reference: https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control TLP: TLP:WHITE Repository: Neo23x0
Rule name: Batch_Script_To_Run_PsExec
Author: NCSC Description: Detects malicious batch file from NCSC report Reference: https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control TLP: TLP:WHITE Repository: Neo23x0
Rule name: Beastdoor_Backdoor
Author: Florian Roth Description: Detects the backdoor Beastdoor TLP: TLP:WHITE Repository: Neo23x0
Rule name: BernhardPOS
Author: Nick Hoffman / Jeremy Humble Description: BernhardPOS Credit Card dumping tool Reference: http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick TLP: TLP:WHITE Repository: Neo23x0
Rule name: BitcoinAddress
Author: Didier Stevens (@DidierStevens) Description: Contains a valid Bitcoin address TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: BlackGuard_Rule
Author: Jiho Kim Description: Yara rule for BlackGuarad Stealer v1.0 - v3.0 Reference: https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: BlackTech_PLEAD_mutex
Author: JPCERT/CC Incident Response Group Description: PLEAD malware mutex strings TLP: TLP:WHITE Repository: JPCERTCC
Rule name: BluenoroffPoS_DLL
Author: http://blog.trex.re.kr/ Description: Bluenoroff POS malware - hkp.dll Reference: http://blog.trex.re.kr/3?category=737685 TLP: TLP:WHITE Repository: Neo23x0
Rule name: BluesPortScan
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file BluesPortScan.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: BypassUac_9
Author: yarGen Yara Rule Generator Description: Auto-generated rule - file BypassUac.zip TLP: TLP:WHITE Repository: Neo23x0
Rule name: BypassUac2
Author: yarGen Yara Rule Generator Description: Auto-generated rule - file BypassUac2.zip TLP: TLP:WHITE Repository: Neo23x0
Rule name: cachedump
Author: Florian Roth Description: Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe Reference: http://goo.gl/igxLyF TLP: TLP:WHITE Repository: Neo23x0
Rule name: cachedump_RID2ABB
Author: Florian Roth Description: Detects a tool used by APT groups - from files cachedump_RID2ABB.exe, cachedump_RID2ABB64.exe Reference: http://goo.gl/igxLyF TLP: TLP:WHITE
Rule name: CACTUSTORCH
Author: Florian Roth Description: Detects CactusTorch Hacktool Reference: https://github.com/mdsecactivebreach/CACTUSTORCH TLP: TLP:WHITE Repository: Neo23x0
Rule name: CACTUSTORCH_RID2A54
Author: Florian Roth Description: Detects CactusTorch Hacktool Reference: https://github.com/mdsecactivebreach/CACTUSTORCH_RID2A54 TLP: TLP:WHITE
Rule name: Casper_Included_Strings
Author: Florian Roth Description: Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo Reference: http://goo.gl/VRJNLo TLP: TLP:WHITE Repository: Neo23x0
Rule name: Casper_Included_Strings_RID303F
Author: Florian Roth Description: Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo Reference: http://goo.gl/VRJNLo TLP: TLP:WHITE
Rule name: Casper_SystemInformation_Output
Author: Florian Roth Description: Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo Reference: http://goo.gl/VRJNLo TLP: TLP:WHITE Repository: Neo23x0
Rule name: Casper_SystemInformation_Output_RID33C9
Author: Florian Roth Description: Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo Reference: http://goo.gl/VRJNLo TLP: TLP:WHITE
Rule name: CleanIISLog
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file CleanIISLog.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: clearlog
Author: Florian Roth Description: Detects Fireball malware - file clearlog.dll Reference: https://goo.gl/4pTkGQ TLP: TLP:WHITE Repository: Neo23x0
Rule name: clearlog_RID2A5A
Author: Florian Roth Description: Detects Fireball malware - file clearlog_RID2A5A.dll Reference: https://goo.gl/4pTkGQ TLP: TLP:WHITE
Rule name: CN_APT_ZeroT_extracted_Mcutil
Author: Florian Roth Description: Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx TLP: TLP:WHITE Repository: Neo23x0
Rule name: CN_APT_ZeroT_extracted_Mcutil_RID3229
Author: Florian Roth Description: Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx TLP: TLP:WHITE
Rule name: CN_Toolset__XScanLib_XScanLib_XScanLib
Author: Florian Roth Description: Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll Reference: http://qiannao.com/ls/905300366/33834c0c/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: CN_Toolset_NTscan_PipeCmd
Author: Florian Roth Description: Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe Reference: http://qiannao.com/ls/905300366/33834c0c/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: CN_Toolset_sig_1433_135_sqlr
Author: Florian Roth Description: Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe Reference: http://qiannao.com/ls/905300366/33834c0c/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: CN_Toolset_sig_1433_135_sqlr_RID30D0
Author: Florian Roth Description: Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe Reference: http://qiannao.com/ls/905300366/33834c0c/ TLP: TLP:WHITE
Rule name: Cobaltbaltstrike_Beacon_Encoded
Author: Avast Threat Intel Team Description: Detects CobaltStrike payloads Reference: https://github.com/avast/ioc TLP: TLP:WHITE Repository: Neo23x0
Rule name: Cobaltgang_PDF_Metadata_Rev_A
Author: Palo Alto Networks Unit 42 Description: Find documents saved from the same potential Cobalt Gang PDF template Reference: https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: Codoso_CustomTCP_4
Author: Florian Roth Description: Detects Codoso APT CustomTCP Malware Reference: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks TLP: TLP:WHITE Repository: Neo23x0
Rule name: Codoso_CustomTCP_4_RID2DCC
Author: Florian Roth Description: Detects Codoso APT CustomTCP Malware Reference: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks TLP: TLP:WHITE
Rule name: Codoso_Gh0st_1
Author: Florian Roth Description: Detects Codoso APT Gh0st Malware Reference: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks TLP: TLP:WHITE Repository: Neo23x0
Rule name: Codoso_Gh0st_1_RID2C2D
Author: Florian Roth Description: Detects Codoso APT Gh0st Malware Reference: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks TLP: TLP:WHITE
Rule name: Codoso_Gh0st_3
Author: Florian Roth Description: Detects Codoso APT Gh0st Malware Reference: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks TLP: TLP:WHITE Repository: Neo23x0
Rule name: Codoso_Gh0st_3_RID2C2F
Author: Florian Roth Description: Detects Codoso APT Gh0st Malware Reference: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks TLP: TLP:WHITE
Rule name: Codoso_PGV_PVID_1
Author: Florian Roth Description: Detects Codoso APT PGV PVID Malware Reference: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks TLP: TLP:WHITE Repository: Neo23x0
Rule name: Codoso_PGV_PVID_1_RID2CE6
Author: Florian Roth Description: Detects Codoso APT PGV PVID Malware Reference: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks TLP: TLP:WHITE
Rule name: CoreImpact_sysdll_exe
Author: Florian Roth Description: Detects a malware sysdll.exe from the Rocket Kitten APT TLP: TLP:WHITE Repository: Neo23x0
Rule name: CoreImpact_sysdll_exe_RID2F93
Author: Florian Roth Description: Detects a malware sysdll.exe from the Rocket Kitten APT Reference: - TLP: TLP:WHITE
Rule name: crack_Loader
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file Loader.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: CredTheft_MSIL_ADPassHunt_2
Author: FireEye Reference: https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: CrowdStrike_SUNSPOT_02
Description: Detects mutex names in SUNSPOT Reference: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ TLP: TLP:WHITE
Rule name: Darkside
Author: @bartblaze Description: Identifies Darkside ransomware. TLP: TLP:WHITE Repository: bartblaze
Rule name: DeepPanda_lot1
Author: Florian Roth Description: Hack Deep Panda - lot1.tmp-pwdump TLP: TLP:WHITE Repository: Neo23x0
Rule name: DeepPanda_lot1_RID2C52
Author: Florian Roth Description: Hack Deep Panda - FBI Liaison Alert System # A-000049-MW - lot1.tmp-pwdump Reference: http://krebsonsecurity.com/wp-content/uploads/2015/02/FBI-Flash-Warning-Deep-Panda.pdf TLP: TLP:WHITE
Rule name: Disclosed_0day_POCs_injector
Author: Florian Roth Description: Detects POC code from disclosed 0day hacktool set Reference: Disclosed 0day Repos TLP: TLP:WHITE Repository: Neo23x0
Rule name: dnscat2_Hacktool
Author: Florian Roth Description: Detects dnscat2 - from files dnscat, dnscat2.exe Reference: https://downloads.skullsecurity.org/dnscat2/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: Dropper_DeploysMalwareViaSideLoading
Author: USG Description: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Reference: https://www.us-cert.gov/ncas/alerts/TA17-117A TLP: TLP:WHITE Repository: Neo23x0
Rule name: dsc
Author: Aaron DeVera Description: Discord domains TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: EditKeyLog
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file EditKeyLog.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: EditKeyLogReadMe
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: EditKeyLogReadMe_RID2D10
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file EditKeyLogReadMe_RID2D10.txt Reference: - TLP: TLP:WHITE
Rule name: EditServer
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file EditServer.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: elf_bpfdoor_w2
Author: Florian Roth Description: Detects BPFDoor implants used by Chinese actor Red Menshen Reference: https://twitter.com/jcksnsec/status/1522163033585467393 TLP: TLP:WHITE Repository: Malpedia
Rule name: elf_kobalos_w1
Author: Marc-Etienne M.Léveillé Description: Kobalos SSH credential stealer seen in OpenSSH client Reference: http://www.welivesecurity.com TLP: TLP:WHITE Repository: Malpedia
Rule name: classified Author: classified Description: classified TLP TLP:GREEN
Rule name: classified Author: classified TLP TLP:AMBER
Rule name: elf_winnti_w0
Author: Silas Cutler (havex [@] chronicle.security), Chronicle Security TLP: TLP:WHITE Repository: Malpedia
Rule name: Empire_Get_Keystrokes
Author: Florian Roth Description: Detects Empire component - file Get-Keystrokes.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_Get_Keystrokes_RID2F85
Author: Florian Roth Description: Detects Empire component - file Get-Keystrokes.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_Get_SecurityPackages
Author: Florian Roth Description: Detects Empire component - file Get-SecurityPackages.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_Get_SecurityPackages_RID31C8
Author: Florian Roth Description: Detects Empire component - file Get-SecurityPackages.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_Invoke_DllInjection
Author: Florian Roth Description: Detects Empire component - file Invoke-DllInjection.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_Invoke_DllInjection_RID315C
Author: Florian Roth Description: Detects Empire component - file Invoke-DllInjection.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_Invoke_EgressCheck
Author: Florian Roth Description: Detects Empire component - file Invoke-EgressCheck.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_Invoke_EgressCheck_RID30E4
Author: Florian Roth Description: Detects Empire component - file Invoke-EgressCheck.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_Invoke_Gen
Author: Florian Roth Description: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_Invoke_Gen_RID2DB7
Author: Florian Roth Description: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_Invoke_Portscan_Gen
Author: Florian Roth Description: Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_Invoke_Portscan_Gen_RID3160
Author: Florian Roth Description: Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_Invoke_PostExfil
Author: Florian Roth Description: Detects Empire component - file Invoke-PostExfil.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_Invoke_PostExfil_RID303B
Author: Florian Roth Description: Detects Empire component - file Invoke-PostExfil.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_Invoke_PowerDump
Author: Florian Roth Description: Detects Empire component - file Invoke-PowerDump.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_Invoke_PowerDump_RID3040
Author: Florian Roth Description: Detects Empire component - file Invoke-PowerDump.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_Invoke_ShellcodeMSIL
Author: Florian Roth Description: Detects Empire component - file Invoke-ShellcodeMSIL.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_Invoke_ShellcodeMSIL_RID3165
Author: Florian Roth Description: Detects Empire component - file Invoke-ShellcodeMSIL.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_Invoke_SMBAutoBrute
Author: Florian Roth Description: Detects Empire component - file Invoke-SMBAutoBrute.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_Invoke_SMBAutoBrute_RID311A
Author: Florian Roth Description: Detects Empire component - file Invoke-SMBAutoBrute.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_Invoke_SmbScanner
Author: Florian Roth Description: Detects Empire component - file Invoke-SmbScanner.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_Invoke_SmbScanner_RID3089
Author: Florian Roth Description: Detects Empire component - file Invoke-SmbScanner.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_KeePassConfig
Author: Florian Roth Description: Detects Empire component - file KeePassConfig.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_KeePassConfig_Gen
Author: Florian Roth Description: Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_KeePassConfig_Gen_RID304D
Author: Florian Roth Description: Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_KeePassConfig_RID2ED4
Author: Florian Roth Description: Detects Empire component - file KeePassConfig.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: Empire_PowerUp_Gen
Author: Florian Roth Description: Detects Empire component - from files PowerUp.ps1, PowerUp.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE Repository: Neo23x0
Rule name: Empire_PowerUp_Gen_RID2E1D
Author: Florian Roth Description: Detects Empire component - from files PowerUp.ps1, PowerUp.ps1 Reference: https://github.com/adaptivethreat/Empire TLP: TLP:WHITE
Rule name: EQGRP_BananaAid
Author: Florian Roth Description: EQGRP Toolset Firewall - file BananaAid Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_BananaUsurper_writeJetPlow
Author: Florian Roth Description: EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130 Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_BARPUNCH_BPICKER
Author: Florian Roth Description: EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100 Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_BBALL
Author: Florian Roth Description: EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_BFLEA_2201
Author: Florian Roth Description: EQGRP Toolset Firewall - file BFLEA-2201.exe Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_BICECREAM
Author: Florian Roth Description: EQGRP Toolset Firewall - file BICECREAM-2140 Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_BLIAR_BLIQUER
Author: Florian Roth Description: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230 Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_BUSURPER_2211_724
Author: Florian Roth Description: EQGRP Toolset Firewall - file BUSURPER-2211-724.exe Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_BUSURPER_3001_724
Author: Florian Roth Description: EQGRP Toolset Firewall - file BUSURPER-3001-724.exe Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_callbacks
Author: Florian Roth Description: EQGRP Toolset Firewall - Callback addresses Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_config_jp1_UA
Author: Florian Roth Description: EQGRP Toolset Firewall - file config_jp1_UA.pl Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_create_dns_injection
Author: Florian Roth Description: EQGRP Toolset Firewall - file create_dns_injection.py Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_eligiblecandidate
Author: Florian Roth Description: EQGRP Toolset Firewall - file eligiblecandidate.py Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_EPBA
Author: Florian Roth Description: EQGRP Toolset Firewall - file EPBA.script Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_epicbanana_2_1_0_1
Author: Florian Roth Description: EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_extrabacon
Author: Florian Roth Description: EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_Extrabacon_Output
Author: Florian Roth Description: EQGRP Toolset Firewall - Extrabacon exploit output Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_Implants_Gen1
Author: Florian Roth Description: EQGRP Toolset Firewall Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_Implants_Gen2
Author: Florian Roth Description: EQGRP Toolset Firewall Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_Implants_Gen3
Author: Florian Roth Description: EQGRP Toolset Firewall Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_Implants_Gen4
Author: Florian Roth Description: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120 Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_Implants_Gen5
Author: Florian Roth Description: EQGRP Toolset Firewall Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_jetplow_SH
Author: Florian Roth Description: EQGRP Toolset Firewall - file jetplow.sh Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_MixText
Author: Florian Roth Description: EQGRP Toolset Firewall - file MixText.py Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_pandarock
Author: Florian Roth Description: EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_payload
Author: Florian Roth Description: EQGRP Toolset Firewall - file payload.py Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_screamingplow
Author: Florian Roth Description: EQGRP Toolset Firewall - file screamingplow.sh Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_sniffer_xml2pcap
Author: Florian Roth Description: EQGRP Toolset Firewall - file sniffer_xml2pcap Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_sploit
Author: Florian Roth Description: EQGRP Toolset Firewall - from files sploit.py, sploit.py Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_sploit_py
Author: Florian Roth Description: EQGRP Toolset Firewall - file sploit.py Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_ssh_telnet_29
Author: Florian Roth Description: EQGRP Toolset Firewall - from files ssh.py, telnet.py Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_StoreFc
Author: Florian Roth Description: EQGRP Toolset Firewall - file StoreFc.py Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_tinyhttp_setup
Author: Florian Roth Description: EQGRP Toolset Firewall - file tinyhttp_setup.sh Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_tunnel_state_reader
Author: Florian Roth Description: EQGRP Toolset Firewall - file tunnel_state_reader Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_uninstallPBD
Author: Florian Roth Description: EQGRP Toolset Firewall - file uninstallPBD.bat Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_Unique_Strings
Author: Florian Roth Description: EQGRP Toolset Firewall - Unique strings Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_userscript
Author: Florian Roth Description: EQGRP Toolset Firewall - file userscript.FW Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EQGRP_workit
Author: Florian Roth Description: EQGRP Toolset Firewall - file workit.py Reference: Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationDrug_HDDSSD_Op
Author: Florian Roth @4nc4p Description: EquationDrug - HDD/SSD firmware operation - nls_933w.dll Reference: http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationDrug_HDDSSD_Op_RID2F20
Author: Florian Roth Description: EquationDrug - HDD/SSD firmware operation - nls_933w.dll Reference: http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ TLP: TLP:WHITE
Rule name: EquationGroup__ftshell
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup__ftshell_ftshell_v3_10_3_0
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup__ftshell_ftshell_v3_10_3_0_RID364E
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup__ftshell_RID3014
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup__ghost_sparc_ghost_x86_3
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup__ghost_sparc_ghost_x86_3_RID361A
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup__jparsescan_parsescan_5
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup__jparsescan_parsescan_5_RID35FF
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup__scanner_scanner_v2_1_2
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup__scanner_scanner_v2_1_2_RID357D
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_cmsd
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file cmsd Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_cmsd_RID2E6A
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file cmsd Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_cmsex
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file cmsex Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_cmsex_RID2EE3
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file cmsex Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_DUL
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file DUL Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_DUL_RID2DA8
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file DUL Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_ebbshave
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_ebbshave_RID3003
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_eggbasket
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file eggbasket Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_eggbasket_RID3070
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file eggbasket Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_elgingamble
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file elgingamble Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_elgingamble_RID313A
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file elgingamble Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_epoxyresin_v1_0_0
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_epoxyresin_v1_0_0_RID333D
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_estesfox
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file estesfox Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_estesfox_RID3034
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file estesfox Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_jackpop
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file jackpop Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_jackpop_RID2FAB
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file jackpop Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_sambal
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file sambal Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_sambal_RID2F33
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file sambal Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_slugger2
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file slugger2 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_slugger2_RID2FEE
Author: Florian Roth Description: Equation Group hack tool leaked by ShadowBrokers- file slugger2 Reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 TLP: TLP:WHITE
Rule name: EquationGroup_Toolset_Apr17_Eternalromance
Author: Florian Roth Description: Detects EquationGroup Tool - April Leak Reference: https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_Toolset_Apr17_Gen2
Author: Florian Roth Description: Detects EquationGroup Tool - April Leak Reference: https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation TLP: TLP:WHITE Repository: Neo23x0
Rule name: EquationGroup_Toolset_Apr17_Gen2_RID3342
Author: Florian Roth Description: Detects EquationGroup Tool - April Leak Reference: https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation TLP: TLP:WHITE
Rule name: EternalRocks_taskhost
Author: Florian Roth Description: Detects EternalRocks Malware - file taskhost.exe Reference: https://twitter.com/stamparm/status/864865144748298242 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EternalRocks_taskhost_FR_RID30A5
Author: Florian Roth Description: Detects EternalRocks Malware - file taskhost.exe Reference: https://twitter.com/stamparm/status/864865144748298242 TLP: TLP:WHITE
Rule name: EXPL_GitLab_CE_RCE_CVE_2021_22205
Author: Florian Roth Description: Detects signs of exploitation of GitLab CE CVE-2021-22205 Reference: https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_LOG_CVE_2021_27055_Exchange_Forensic_Artefacts
Author: Zach Stanford - @svch0st, Florian Roth Description: Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log TLP: TLP:WHITE
Rule name: EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1
Author: Florian Roth Description: Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065 Reference: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ TLP: TLP:WHITE
Rule name: EXPL_Log4j_CVE_2021_44228_Dec21_Hard
Author: Florian Roth Description: Detects indicators in server logs that indicate the exploitation of CVE-2021-44228 Reference: https://twitter.com/h113sdx/status/1469010902183661568?s=20 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1
Author: Florian Roth Description: Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228 Reference: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_POC_SpringCore_0day_Indicators_Mar22_1
Author: Florian Roth Description: Detects indicators found after SpringCore exploitation attempts and in the POC script Reference: https://twitter.com/vxunderground/status/1509170582469943303 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22
Author: Florian Roth Description: Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954 Reference: https://github.com/sherlocksecurity/VMware-CVE-2022-22954 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_Shitrix_Exploit_Code_Jan20_1
Author: Florian Roth Description: Detects payloads used in Shitrix exploitation CVE-2019-19781 Reference: https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXPL_Shitrix_Exploit_Code_Jan20_1_RID331C
Author: Florian Roth Description: Detects payloads used in Shitrix exploitation CVE-2019-19781 Reference: https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/ TLP: TLP:WHITE
Rule name: EXPL_Zoho_RCE_Fix_Lines_Dec21_1
Author: Florian Roth Description: Detects lines in log lines of Zoho products that indicate RCE fixes (silent removal of evidence) Reference: https://twitter.com/cyb3rops/status/1467784104930385923 TLP: TLP:WHITE Repository: Neo23x0
Rule name: EXT_MAL_SystemBC_Mar22_1
Author: Thomas Barabosch, Deutsche Telekom Security Description: Detects unpacked SystemBC module as used by Emotet in March 2022 Reference: https://twitter.com/Cryptolaemus1/status/1502069552246575105 TLP: TLP:WHITE Repository: Neo23x0
Rule name: fgexec
Author: Florian Roth Description: Detects a tool used by APT groups - file fgexec.exe Reference: http://goo.gl/igxLyF TLP: TLP:WHITE Repository: Neo23x0
Rule name: Fidelis_Advisory_cedt370
Author: Florian Roth Description: Detects a string found in memory of malware cedt370r(3).exe Reference: http://goo.gl/ZjJyti TLP: TLP:WHITE Repository: Neo23x0
Rule name: Fierce2
Author: Florian Roth Description: This signature detects the Fierce2 domain scanner TLP: TLP:WHITE Repository: Neo23x0
Rule name: FIN7_Backdoor_Aug17
Author: Florian Roth Description: Detects Word Dropper from Proofpoint FIN7 Report Reference: https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor TLP: TLP:WHITE Repository: Neo23x0
Rule name: FIN7_Backdoor_Aug17_RID2D8D
Author: Florian Roth Description: Detects Word Dropper from Proofpoint FIN7 Report Reference: https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor TLP: TLP:WHITE
Rule name: FiveEyes_QUERTY_Malwareqwerty_20123
Author: Florian Roth Description: FiveEyes QUERTY Malware - file 20123.xml Reference: http://www.spiegel.de/media/media-35668.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: FourElementSword_Config_File
Author: Florian Roth Description: Detects FourElementSword Malware Reference: https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FourElementSword_ElevateDLL_2
Author: Florian Roth Description: Detects FourElementSword Malware Reference: https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_Auct_Dez16_Strings
Author: Florian Roth Description: String from the ShodowBroker Files Screenshots - Dec 2016 Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_Gen_Readme1
Author: Florian Roth Description: Auto-generated rule Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_Gen_Readme2
Author: Florian Roth Description: Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_Gen_Readme3
Author: Florian Roth Description: Auto-generated rule Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_Gen_Readme4
Author: Florian Roth Description: Auto-generated rule - from files violetspirit.README, violetspirit.README Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_gr_gr
Author: Florian Roth Description: Auto-generated rule - file gr.notes Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_nopen_oneshot
Author: Florian Roth Description: Auto-generated rule - file oneshot.example Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_opscript
Author: Florian Roth Description: Auto-generated rule - file opscript.se Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_README_cup
Author: Florian Roth Description: Auto-generated rule - file README.cup.NOPEN Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_strifeworld
Author: Florian Roth Description: Auto-generated rule - file strifeworld.1 Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_user_tool
Author: Florian Roth Description: Auto-generated rule - file user.tool.elatedmonkey Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_user_tool_dubmoat
Author: Florian Roth Description: Auto-generated rule - file user.tool.dubmoat.COMMON Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_user_tool_earlyshovel
Author: Florian Roth Description: Auto-generated rule - file user.tool.earlyshovel.COMMON Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_user_tool_ebbisland
Author: Florian Roth Description: Auto-generated rule - file user.tool.ebbisland.COMMON Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_user_tool_elgingamble
Author: Florian Roth Description: Auto-generated rule - file user.tool.elgingamble.COMMON Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_user_tool_epichero
Author: Florian Roth Description: Auto-generated rule - file user.tool.epichero.COMMON Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_user_tool_pork
Author: Florian Roth Description: Auto-generated rule - file user.tool.pork.COMMON Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_user_tool_yellowspirit
Author: Florian Roth Description: Auto-generated rule - file user.tool.yellowspirit.COMMON Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: FVEY_ShadowBroker_violetspirit
Author: Florian Roth Description: Auto-generated rule - file violetspirit.README Reference: https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: GhostDragon_Gh0stRAT
Author: Florian Roth Description: Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report Reference: https://blog.cylance.com/the-ghost-dragon TLP: TLP:WHITE Repository: Neo23x0
Rule name: GhostDragon_Gh0stRAT_Sample2
Author: Florian Roth Description: Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report Reference: https://blog.cylance.com/the-ghost-dragon TLP: TLP:WHITE Repository: Neo23x0
Rule name: GhostDragon_Gh0stRAT_Sample2_RID3170
Author: Florian Roth Description: Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report Reference: https://blog.cylance.com/the-ghost-dragon TLP: TLP:WHITE
Rule name: gina_zip_Folder_gina
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file gina.dll TLP: TLP:WHITE Repository: Neo23x0
Rule name: Greenbug_Malware_4
Author: Florian Roth Description: Detects ISMDoor Backdoor Reference: https://goo.gl/urp4CD TLP: TLP:WHITE Repository: Neo23x0
Rule name: Greenbug_Malware_4_RID2DFB
Author: Florian Roth Description: Detects ISMDoor Backdoor Reference: https://goo.gl/urp4CD TLP: TLP:WHITE
Rule name: GRIZZLY_STEPPE_Malware_2
Author: Florian Roth Description: Auto-generated rule Reference: https://goo.gl/WVflzO TLP: TLP:WHITE Repository: Neo23x0
Rule name: GRIZZLY_STEPPE_Malware_2_RID2F35
Author: Florian Roth Description: Semiautomatically generated YARA rule Reference: https://goo.gl/WVflzO TLP: TLP:WHITE
Rule name: HackTool_MSIL_SharPersist_2
Author: FireEye Reference: https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: Hacktools_CN_Burst_Start
Author: Florian Roth Description: Disclosed hacktool set - file Start.bat - DoS tool TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Dsniff
Author: Florian Roth Description: Detects Dsniff hack tool Reference: https://goo.gl/eFoP4A TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Dsniff_RID2AFD
Author: Florian Roth Description: Detects Dsniff hack tool Reference: https://goo.gl/eFoP4A TLP: TLP:WHITE
Rule name: HKTL_Fierce2_RID2B23
Author: Florian Roth Description: This signature detects the Fierce2 domain scanner Reference: - TLP: TLP:WHITE
Rule name: HKTL_IP_Stealing_Utilities_RID30ED
Author: Florian Roth Description: Semiautomatically generated YARA rule on file IP Stealing Utilities.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_Khepri_Beacon_Sep21_1
Author: Florian Roth Description: Detects Khepri C2 framework beacons Reference: https://github.com/geemion/Khepri/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Lazagne_Gen_18
Author: Florian Roth Description: Detects Lazagne password extractor hacktool Reference: https://github.com/AlessandroZ/LaZagne TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Lazagne_Gen_18_RID2DA6
Author: Florian Roth Description: Detects Lazagne password extractor hacktool Reference: https://github.com/AlessandroZ/LaZagne TLP: TLP:WHITE
Rule name: HKTL_LazyCat_LogEraser
Author: Florian Roth Description: Detetcs a tool used in the Australian Parliament House network compromise Reference: https://twitter.com/cyb3rops/status/1097423665472376832 TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_LNX_Pnscan
Author: Florian Roth Description: Detects Pnscan port scanner Reference: https://github.com/ptrrkssn/pnscan TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_LNX_Pnscan_RID2C57
Author: Florian Roth Description: Detects Pnscan port scanner Reference: https://github.com/ptrrkssn/pnscan TLP: TLP:WHITE
Rule name: HKTL_Meterpreter_inMemory
Author: netbiosX, Florian Roth Description: Detects Meterpreter in-memory Reference: https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Ncrack_RID2AF5
Author: Florian Roth Description: This signature detects the Ncrack brute force tool Reference: - TLP: TLP:WHITE
Rule name: HKTL_NetBIOS_Name_Scanner_RID3000
Author: Florian Roth Description: Semiautomatically generated YARA rule on file NetBIOS Name Scanner.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine
Author: Florian Roth Description: Detects PowerShell Oneliner in Nishang's repository Reference: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine_RID379E
Author: Florian Roth Description: Detects PowerShell Oneliner in Nishang's repository Reference: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1 TLP: TLP:WHITE
Rule name: HKTL_NoPowerShell
Author: Florian Roth Description: Detects NoPowerShell hack tool Reference: https://github.com/bitsadmin/nopowershell TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_NoPowerShell_RID2D65
Author: Florian Roth Description: Detects NoPowerShell hack tool Reference: https://github.com/bitsadmin/nopowershell TLP: TLP:WHITE
Rule name: HKTL_PortRacer_RID2C35
Author: Florian Roth Description: Semiautomatically generated YARA rule on file PortRacer.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_PortScanner_RID2D12
Author: Florian Roth Description: Semiautomatically generated YARA rule on file PortScanner.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_PowerKatz_Feb19_1
Author: Florian Roth Description: Detetcs a tool used in the Australian Parliament House network compromise Reference: https://twitter.com/cyb3rops/status/1097423665472376832 TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_PowerKatz_Feb19_1_RID2EB0
Author: Florian Roth Description: Detetcs a tool used in the Australian Parliament House network compromise Reference: https://twitter.com/cyb3rops/status/1097423665472376832 TLP: TLP:WHITE
Rule name: HKTL_PS1_PowerCat_Mar21
Author: Florian Roth Description: Detects PowerCat hacktool Reference: https://github.com/besimorhino/powercat TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_PS1_PowerCat_Mar21_RID2EDD
Author: Florian Roth Description: Detects PowerCat hacktool Reference: https://github.com/besimorhino/powercat TLP: TLP:WHITE
Rule name: HKTL_scanarator_RID2CD1
Author: Florian Roth Description: Semiautomatically generated YARA rule on file scanarator.exe Reference: - TLP: TLP:WHITE
Rule name: HKTL_SQLMap_RID2AB1
Author: Florian Roth Description: This signature detects the SQLMap SQL injection tool Reference: - TLP: TLP:WHITE
Rule name: HKTL_Unknown_Feb19_1
Author: Florian Roth Description: Detetcs a tool used in the Australian Parliament House network compromise Reference: https://twitter.com/cyb3rops/status/1097423665472376832 TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Unknown_Feb19_1_RID2DF9
Author: Florian Roth Description: Detetcs a tool used in the Australian Parliament House network compromise Reference: https://twitter.com/cyb3rops/status/1097423665472376832 TLP: TLP:WHITE
Rule name: Hunting_GadgetToJScript_1
Author: FireEye Description: This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling. Reference: https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: HvS_APT27_HyperBro_Stage3_C2
Author: Marc Stroebel Description: HyperBro Stage 3 C2 path and user agent detection - also tested in memory Reference: https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27 TLP: TLP:WHITE Repository: Neo23x0
Rule name: iKAT_command_lines_agent
Author: Florian Roth Description: iKAT hack tools set agent - file ikat.exe Reference: http://ikat.ha.cked.net/Windows/functions/ikatfiles.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: iKAT_startbar
Author: Florian Roth Description: Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe Reference: http://ikat.ha.cked.net/Windows/functions/ikatfiles.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: Impacket
Author: @bartblaze Description: Identifies Impacket, a collection of Python classes for working with network protocols. Reference: https://github.com/SecureAuthCorp/impacket TLP: TLP:WHITE Repository: bartblaze
Rule name: Impacket_Tools_Generic_1
Author: Florian Roth Description: Compiled Impacket Tools Reference: https://github.com/maaaaz/impacket-examples-windows TLP: TLP:WHITE Repository: Neo23x0
Rule name: Impacket_Tools_Generic_1_RID305B
Author: Florian Roth Description: Compiled Impacket Tools Reference: https://github.com/maaaaz/impacket-examples-windows TLP: TLP:WHITE
Rule name: IMPLANT_3_v1
Author: US CERT Description: X-Agent/CHOPSTICK Implant by APT28 Reference: https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE TLP: TLP:WHITE Repository: Neo23x0
Rule name: IMPLANT_4_v9
Author: US CERT Description: BlackEnergy / Voodoo Bear Implant by APT28 Reference: https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE TLP: TLP:WHITE Repository: Neo23x0
Rule name: Industroyer_Malware_5
Author: Florian Roth Description: Detects Industroyer related malware Reference: https://goo.gl/x81cSy TLP: TLP:WHITE Repository: Neo23x0
Rule name: Industroyer_Malware_5_RID2F75
Author: Florian Roth Description: Detects Industroyer related malware Reference: https://goo.gl/x81cSy TLP: TLP:WHITE
Rule name: Industroyer_Portscan_3_Output
Author: Florian Roth Description: Detects Industroyer related custom port scaner output file Reference: https://goo.gl/x81cSy TLP: TLP:WHITE Repository: Neo23x0
Rule name: Industroyer_Portscan_3_Output_RID32E4
Author: Florian Roth Description: Detects Industroyer related custom port scaner output file Reference: https://goo.gl/x81cSy TLP: TLP:WHITE
Rule name: InstGina
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file InstGina.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Invoke_Mimikatz
Author: Florian Roth Description: Detects Invoke-Mimikatz String Reference: https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz TLP: TLP:WHITE Repository: Neo23x0
Rule name: Invoke_mimikittenz
Author: Florian Roth Description: Detects Mimikittenz - file Invoke-mimikittenz.ps1 Reference: https://github.com/putterpanda/mimikittenz TLP: TLP:WHITE Repository: Neo23x0
Rule name: Invoke_mimikittenz_RID2E91
Author: Florian Roth Description: Semiautomatically generated YARA rule - file Invoke-mimikittenz.ps1 Reference: https://github.com/putterpanda/mimikittenz TLP: TLP:WHITE
Rule name: Invoke_OSiRis
Author: Florian Roth Description: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1 Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Invoke_OSiRis_RID2C15
Author: Florian Roth Description: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1 Reference: Internal Research TLP: TLP:WHITE
Rule name: Invoke_WMIExec_Gen_1
Author: Florian Roth Description: Detects Invoke-WmiExec or Invoke-SmbExec Reference: https://github.com/Kevin-Robertson/Invoke-TheHash TLP: TLP:WHITE Repository: Neo23x0
Rule name: Invoke_WMIExec_Gen_1_RID2E57
Author: Florian Roth Description: Detects Invoke-WmiExec or Invoke-SmbExec Reference: https://github.com/Kevin-Robertson/Invoke-TheHash TLP: TLP:WHITE
Rule name: IP_Stealing_Utilities
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file IP Stealing Utilities.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: IronGate_APT_Step7ProSim_Gen
Author: Florian Roth Description: Detects IronGate APT Malware - Step7ProSim DLL Reference: https://goo.gl/Mr6M2J TLP: TLP:WHITE Repository: Neo23x0
Rule name: IronPanda_DNSTunClient
Author: Florian Roth Description: Iron Panda malware DnsTunClient - file named.exe Reference: https://goo.gl/E4qia9 TLP: TLP:WHITE Repository: Neo23x0
Rule name: IronPanda_DNSTunClient_RID2F67
Author: Florian Roth Description: Iron Panda malware DnsTunClient - file named.exe Reference: https://goo.gl/E4qia9 TLP: TLP:WHITE
Rule name: IronPanda_Malware_Htran
Author: Florian Roth Description: Iron Panda Malware Htran Reference: https://goo.gl/E4qia9 TLP: TLP:WHITE Repository: Neo23x0
Rule name: IronTiger_ASPXSpy
Author: Cyber Safety Solutions, Trend Micro Description: ASPXSpy detection. It might be used by other fraudsters Reference: http://goo.gl/T5fSJC TLP: TLP:WHITE Repository:
Rule name: IronTiger_wmiexec
Author: Cyber Safety Solutions, Trend Micro Description: Iron Tiger Tool - wmi.vbs detection Reference: http://goo.gl/T5fSJC TLP: TLP:WHITE Repository: Neo23x0
Rule name: JavaScript_Run_Suspicious
Author: Florian Roth Description: Detects a suspicious Javascript Run command Reference: https://twitter.com/craiu/status/900314063560998912 TLP: TLP:WHITE Repository: Neo23x0
Rule name: JavaScript_Run_Suspicious_RID3132
Author: Florian Roth Description: Detects a suspicious Javascript Run command Reference: https://twitter.com/craiu/status/900314063560998912 TLP: TLP:WHITE
Rule name: Jc_WinEggDrop_Shell
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt TLP: TLP:WHITE Repository: Neo23x0
Rule name: Jc_WinEggDrop_Shell_RID2E4A
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt Reference: - TLP: TLP:WHITE
Rule name: JS_Suspicious_MSHTA_Bypass
Author: Florian Roth Description: Detects MSHTA Bypass Reference: https://twitter.com/ItsReallyNick/status/887705105239343104 TLP: TLP:WHITE Repository: Neo23x0
Rule name: JS_Suspicious_MSHTA_Bypass_RID30F1
Author: Florian Roth Description: Detects MSHTA Bypass Reference: https://twitter.com/ItsReallyNick/status/887705105239343104 TLP: TLP:WHITE
Rule name: Jupyter_infostealer
Author: CD_R0M_ Description: Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022 TLP: TLP:WHITE Repository: CD-R0M
Rule name: kerberoast_PY
Author: Florian Roth Description: Auto-generated rule - file kerberoast.py Reference: https://github.com/skelsec/PyKerberoast TLP: TLP:WHITE Repository: Neo23x0
Rule name: kerberoast_PY_RID2C4B
Author: Florian Roth Description: Semiautomatically generated YARA rule - file kerberoast.py Reference: https://github.com/skelsec/PyKerberoast TLP: TLP:WHITE
Rule name: Keylogger_CN_APT
Author: Florian Roth Description: Keylogger - generic rule for a Chinese variant TLP: TLP:WHITE Repository: Neo23x0
Rule name: KINS_dropper
Author: AlienVault Labs aortega@alienvault.com Description: Match protocol, process injects and windows exploit present in KINS dropper Reference: http://goo.gl/arPhm3 TLP: TLP:WHITE Repository: Neo23x0
Rule name: LaZagne
Author: @bartblaze Description: Identifies LaZagne, credentials recovery project. Reference: https://github.com/AlessandroZ/LaZagne TLP: TLP:WHITE Repository: bartblaze
Rule name: Lazagne_PW_Dumper
Author: Markus Neis / Florian Roth Description: Detects Lazagne PW Dumper Reference: https://github.com/AlessandroZ/LaZagne/releases/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: Lazagne_PW_Dumper_RID2DA5
Author: Markus Neis, Florian Roth Description: Detects Lazagne PW Dumper Reference: https://github.com/AlessandroZ/LaZagne/releases/ TLP: TLP:WHITE
Rule name: Linux_Portscan_Shark_2
Author: Florian Roth Description: Detects Linux Port Scanner Shark Reference: Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35 TLP: TLP:WHITE Repository: Neo23x0
Rule name: Linux_Portscan_Shark_2_RID2FB3
Author: Florian Roth Description: Detects Linux Port Scanner Shark Reference: Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35 TLP: TLP:WHITE
Rule name: LinuxHacktool_eyes_a
Author: Florian Roth Description: Linux hack tools - file a Reference: not set TLP: TLP:WHITE Repository: Neo23x0
Rule name: LinuxHacktool_eyes_mass
Author: Florian Roth Description: Linux hack tools - file mass Reference: not set TLP: TLP:WHITE Repository: Neo23x0
Rule name: LM_hash_empty_String_RID2F11
Author: Florian Roth Description: Detects the empty LM hash on disk/in memory/as output from hacking tools Reference: - TLP: TLP:WHITE
Rule name: LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_RID36CD
Author: Florian Roth Description: Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log TLP: TLP:WHITE
Rule name: LOG_EXPL_ADSelfService_CVE_2021_40539_ADSLOG_Sep21
Author: Florian Roth Description: Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539 Reference: https://us-cert.cisa.gov/ncas/alerts/aa21-259a TLP: TLP:WHITE
Rule name: LOG_EXPL_ADSelfService_CVE_2021_40539_WebLog_Sep21_1
Author: Florian Roth Description: Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539 Reference: https://us-cert.cisa.gov/ncas/alerts/aa21-259a TLP: TLP:WHITE
Rule name: LOG_EXPL_Confluence_RCE_CVE_2021_26084_Sep21
Author: Florian Roth Description: Detects exploitation attempts against Confluence servers abusing a RCE reported as CVE-2021-26084 Reference: https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md TLP: TLP:WHITE
Rule name: LOG_EXPL_ProxyToken_Exploitation_Aug21_1
Author: Florian Roth Description: Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system Reference: https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server TLP: TLP:WHITE Repository: Neo23x0
Rule name: LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1
Author: Florian Roth Description: Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup Reference: https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/ TLP: TLP:WHITE
Rule name: LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1_RID3A2F
Author: Florian Roth Description: Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup Reference: https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/ TLP: TLP:WHITE
Rule name: lsremora
Author: Florian Roth Description: Detects a tool used by APT groups Reference: http://goo.gl/igxLyF TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_HawkEye_Keylogger_Gen_Dec18
Author: Florian Roth Description: Detects HawkEye Keylogger Reborn Reference: https://twitter.com/James_inthe_box/status/1072116224652324870 TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_HawkEye_Keylogger_Gen_Dec18_RID324D
Author: Florian Roth Description: Detects HawkEye Keylogger Reborn Reference: https://twitter.com/James_inthe_box/status/1072116224652324870 TLP: TLP:WHITE
Rule name: Mal_http_EXE
Author: Florian Roth Description: Detects trojan from APT report named http.exe Reference: https://goo.gl/13Wgy1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_IcedId_Core_LDR_202104
Author: Thomas Barabosch, Telekom Security Description: 2021 loader for Bokbot / Icedid core (license.dat) Reference: https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_LNX_LinaDoor_Rootkit_May22
Author: Florian Roth Description: Detects LinaDoor Linux Rootkit, which seems to be a modified Reptile rootkit often used by Bronze Union TA Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Mal_PotPlayer_DLL
Author: Florian Roth Description: Detects a malicious PotPlayer.dll Reference: https://goo.gl/13Wgy1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_RANSOM_Crime_DearCry_Mar2021_1
Author: Nils Kuhnert Description: Triggers on strings of known DearCry samples Reference: https://twitter.com/phillip_misner/status/1370197696280027136 TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_RANSOM_Darkside_May21_1
Author: Florian Roth Description: Detects Darkside Ransomware Reference: https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: MAL_RANSOM_Darkside_May21_1_RID3019
Author: Florian Roth Description: Detects Darkside Ransomware Reference: https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/ TLP: TLP:WHITE
Rule name: MAL_Sednit_DelphiDownloader_Apr18_2
Author: Florian Roth Description: Detects malware from Sednit Delphi Downloader report Reference: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: malware_apt15_generic
Author: David Cannings Description: Find generic data potentially relating to AP15 tools TLP: TLP:WHITE Repository: Neo23x0
Rule name: malware_netwire_strings
Author: JPCERT/CC Incident Response Group Description: detect netwire in memory Reference: internal research TLP: TLP:WHITE Repository: JPCERTCC
Rule name: Malware_QA_vqgk
Author: Florian Roth Description: VT Research QA uploaded malware - file vqgk.dll Reference: VT Research QA TLP: TLP:WHITE Repository: Neo23x0
Rule name: malware_sakula_memory
Author: David Cannings Description: Sakula malware - strings after unpacking (memory rule) TLP: TLP:WHITE Repository: Neo23x0
Rule name: merlinAgent
Author: Hilko Bengen Description: Detects Merlin agent Reference: https://github.com/Ne0nd0g/merlin TLP: TLP:WHITE Repository: Neo23x0
Rule name: Metasploit_Loader_RSMudge
Author: Florian Roth Description: Detects a Metasploit Loader by RSMudge - file loader.exe Reference: https://github.com/rsmudge/metasploit-loader TLP: TLP:WHITE Repository: Neo23x0
Rule name: Metasploit_Loader_RSMudge_RID30DF
Author: Florian Roth Description: Detects a Metasploit Loader by RSMudge - file loader.exe Reference: https://github.com/rsmudge/metasploit-loader TLP: TLP:WHITE
Rule name: Microcin_Sample_5
Author: Florian Roth Description: Malware sample mentioned in Microcin technical report by Kaspersky Reference: https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: Microcin_Sample_5_RID2D9A
Author: Florian Roth Description: Malware sample mentioned in Microcin technical report by Kaspersky Reference: https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf TLP: TLP:WHITE
Rule name: Mimikatz_Logfile
Author: Florian Roth Description: Detects a log file generated by malicious hack tool mimikatz TLP: TLP:WHITE Repository: Neo23x0
Rule name: Mimikatz_Logfile_RID2D78
Author: Florian Roth Description: Detects a log file generated by malicious hack tool mimikatz Reference: - TLP: TLP:WHITE
Rule name: Mimikatz_Memory_Rule_1
Author: Florian Roth Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) TLP: TLP:WHITE
Rule name: Mimikatz_Memory_Rule_2
Author: Florian Roth - Florian Roth Description: Mimikatz Rule generated from a memory dump TLP: TLP:WHITE
Rule name: Mimipenguin_SH
Author: Florian Roth Description: Detects Mimipenguin Password Extractor - Linux Reference: https://github.com/huntergregal/mimipenguin TLP: TLP:WHITE Repository: Neo23x0
Rule name: Mimipenguin_SH_RID2C8D
Author: Florian Roth Description: Detects Mimipenguin Password Extractor - Linux Reference: https://github.com/huntergregal/mimipenguin TLP: TLP:WHITE
Rule name: MSBuild_Mimikatz_Execution_via_XML
Author: Florian Roth Description: Detects an XML that executes Mimikatz on an endpoint via MSBuild Reference: https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml TLP: TLP:WHITE Repository: Neo23x0
Rule name: MSBuild_Mimikatz_Execution_via_XML_RID3448
Author: Florian Roth Description: Detects an XML that executes Mimikatz on an endpoint via MSBuild Reference: https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml TLP: TLP:WHITE
Rule name: Msfpayloads_msf
Author: Florian Roth Description: Metasploit Payloads - file msf.sh Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Msfpayloads_msf_3
Author: Florian Roth Description: Metasploit Payloads - file msf.psh Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Msfpayloads_msf_3_RID2DCB
Author: Florian Roth Description: Metasploit Payloads - file msf.psh Reference: Internal Research TLP: TLP:WHITE
Rule name: Msfpayloads_msf_4
Author: Florian Roth Description: Metasploit Payloads - file msf.aspx Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Msfpayloads_msf_4_RID2DCC
Author: Florian Roth Description: Metasploit Payloads - file msf.aspx Reference: Internal Research TLP: TLP:WHITE
Rule name: Msfpayloads_msf_cmd
Author: Florian Roth Description: Metasploit Payloads - file msf-cmd.ps1 Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Msfpayloads_msf_cmd_RID2ECC
Author: Florian Roth Description: Metasploit Payloads - file msf-cmd.ps1 Reference: Internal Research TLP: TLP:WHITE
Rule name: Msfpayloads_msf_exe
Author: Florian Roth Description: Metasploit Payloads - file msf-exe.vba Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Msfpayloads_msf_exe_RID2EDA
Author: Florian Roth Description: Metasploit Payloads - file msf-exe.vba Reference: Internal Research TLP: TLP:WHITE
Rule name: Msfpayloads_msf_psh
Author: Florian Roth Description: Metasploit Payloads - file msf-psh.vba Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Msfpayloads_msf_psh_RID2EE3
Author: Florian Roth Description: Metasploit Payloads - file msf-psh.vba Reference: Internal Research TLP: TLP:WHITE
Rule name: Msfpayloads_msf_ref
Author: Florian Roth Description: Metasploit Payloads - file msf-ref.ps1 Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Msfpayloads_msf_ref_RID2ED5
Author: Florian Roth Description: Metasploit Payloads - file msf-ref.ps1 Reference: Internal Research TLP: TLP:WHITE
Rule name: Msfpayloads_msf_RID2D39
Author: Florian Roth Description: Metasploit Payloads - file msf.sh Reference: Internal Research TLP: TLP:WHITE
Rule name: Nanocore_RAT_Gen_1
Author: Florian Roth Description: Detetcs the Nanocore RAT and similar malware Reference: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: Nanocore_RAT_Gen_1_RID2D95
Author: Florian Roth Description: Detetcs the Nanocore RAT and similar malware Reference: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ TLP: TLP:WHITE
Rule name: Nanocore_RAT_Gen_2
Author: Florian Roth Description: Detetcs the Nanocore RAT Reference: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: Nanocore_RAT_Gen_2_RID2D96
Author: Florian Roth Description: Detetcs the Nanocore RAT Reference: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ TLP: TLP:WHITE
Rule name: Nautilus_forensic_artificats
Author: NCSC UK / Florian Roth Description: Rule for detection of Nautilus related strings Reference: https://www.ncsc.gov.uk/alerts/turla-group-malware TLP: TLP:WHITE Repository: Neo23x0
Rule name: Ncat_Hacktools_CN
Author: Florian Roth Description: Disclosed hacktool set - file nc.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Ncrack
Author: Florian Roth Description: This signature detects the Ncrack brute force tool TLP: TLP:WHITE Repository: Neo23x0
Rule name: NetBIOS_Name_Scanner
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file NetBIOS Name Scanner.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Netview_Hacktool
Author: Florian Roth Description: Network domain enumeration tool - often used by attackers - file Nv.exe Reference: https://github.com/mubix/netview TLP: TLP:WHITE Repository: Neo23x0
Rule name: Netview_Hacktool_Output
Author: Florian Roth Description: Network domain enumeration tool output - often used by attackers - file filename.txt Reference: https://github.com/mubix/netview TLP: TLP:WHITE Repository: Neo23x0
Rule name: NTLM_Dump_Output
Author: Florian Roth Description: NTML Hash Dump output file - John/LC format TLP: TLP:WHITE Repository: Neo23x0
Rule name: OilRig_Malware_Campaign_Gen2
Author: Florian Roth Description: Detects malware from OilRig Campaign Reference: https://goo.gl/QMRZ8K TLP: TLP:WHITE Repository: Neo23x0
Rule name: ONHAT_Proxy_Hacktool
Author: Florian Roth Description: Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups Reference: https://goo.gl/p32Ozf TLP: TLP:WHITE Repository: Neo23x0
Rule name: ONHAT_Proxy_Hacktool_RID2EA0
Author: Florian Roth Description: Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups Reference: https://goo.gl/p32Ozf TLP: TLP:WHITE
Rule name: OPCLEAVER_antivirusdetector
Author: Cylance Inc. Description: Hack tool used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_BackDoorLogger
Author: Cylance Inc. Description: Keylogger used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_CCProxy_Config
Author: Florian Roth Description: CCProxy config known from Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_CCProxy_Config_RID2F6E
Author: Florian Roth Description: CCProxy config known from Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE
Rule name: OPCLEAVER_csext
Author: Cylance Inc. Description: Backdoor used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_Jasus
Author: Cylance Inc. Description: ARP cache poisoner used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_kagent
Author: Cylance Inc. Description: Backdoor used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_mimikatzWrapper
Author: Cylance Inc. Description: Mimikatz Wrapper used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_pvz_in
Author: Cylance Inc. Description: Parviz tool used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_ShellCreator2
Author: Cylance Inc. Description: Shell Creator used by attackers in Operation Cleaver to create ASPX web shells Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_SmartCopy2
Author: Cylance Inc. Description: Malware or hack tool used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_SynFlooder
Author: Cylance Inc. Description: Malware or hack tool used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_TinyZBot
Author: Cylance Inc. Description: Tiny Bot used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_zhLookUp
Author: Cylance Inc. Description: Hack tool used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_zhmimikatz
Author: Cylance Inc. Description: Mimikatz wrapper used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OPCLEAVER_ZhoupinExploitCrew
Author: Cylance Inc. Description: Keywords used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OpCloudHopper_Malware_5
Author: Florian Roth Description: Detects malware from Operation Cloud Hopper Reference: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: OpCloudHopper_Malware_5_RID2FF1
Author: Florian Roth Description: Detects Operation CloudHopper malware samples Reference: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html TLP: TLP:WHITE
Rule name: OpCloudHopper_WmiDLL_inMemory
Author: Florian Roth Description: Malware related to Operation Cloud Hopper - Page 25 Reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: OpCloudHopper_WmiDLL_inMemory_RID324C
Author: Florian Roth Description: Malware related to Operation Cloud Hopper - Page 25 Reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf TLP: TLP:WHITE
Rule name: OSX_backdoor_Bella
Author: John Lambert @JohnLaTwC Description: Bella MacOS/OSX backdoor Reference: https://twitter.com/JohnLaTwC/status/911998777182924801 TLP: TLP:WHITE Repository: Neo23x0
Rule name: OSX_backdoor_EvilOSX
Author: John Lambert @JohnLaTwC Description: EvilOSX MacOS/OSX backdoor Reference: https://github.com/Marten4n6/EvilOSX, https://twitter.com/JohnLaTwC/status/966139336436498432 TLP: TLP:WHITE Repository: Neo23x0
Rule name: osx_bella_w0
Author: John Lambert @JohnLaTwC Description: Bella MacOS/OSX backdoor Reference: https://twitter.com/JohnLaTwC/status/911998777182924801 TLP: TLP:WHITE Repository: Malpedia
Rule name: p0wnedAmsiBypass
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE Repository: Neo23x0
Rule name: p0wnedAmsiBypass_RID2D5B
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass_RID2D5B.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE
Rule name: p0wnedBinaries
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE Repository: Neo23x0
Rule name: p0wnedBinaries_RID2C8C
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries_RID2C8C.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE
Rule name: p0wnedExploits
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE Repository: Neo23x0
Rule name: p0wnedExploits_RID2CB7
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits_RID2CB7.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE
Rule name: p0wnedPotato
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE Repository: Neo23x0
Rule name: p0wnedPotato_RID2BD6
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato_RID2BD6.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE
Rule name: p0wnedPowerCat
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE Repository: Neo23x0
Rule name: p0wnedPowerCat_RID2C84
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat_RID2C84.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE
Rule name: p0wnedShell_outputs
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE Repository: Neo23x0
Rule name: p0wnedShell_outputs_RID2EDA
Author: Florian Roth Description: p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs Reference: https://github.com/Cn33liz/p0wnedShell TLP: TLP:WHITE
Rule name: PassCV_Sabre_Malware_2
Author: Florian Roth Description: PassCV Malware mentioned in Cylance Report Reference: https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies TLP: TLP:WHITE Repository: Neo23x0
Rule name: PassCV_Sabre_Malware_2_RID2F46
Author: Florian Roth Description: PassCV Malware mentioned in Cylance Report Reference: https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies TLP: TLP:WHITE
Rule name: PassSniffer
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file PassSniffer.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Payload_Exe2Hex
Author: Florian Roth Description: Detects payload generated by exe2hex Reference: https://github.com/g0tmi1k/exe2hex TLP: TLP:WHITE Repository: Neo23x0
Rule name: Payload_Exe2Hex_RID2CB3
Author: Florian Roth Description: Detects payload generated by exe2hex Reference: https://github.com/g0tmi1k/exe2hex TLP: TLP:WHITE
Rule name: Pirpi_1609_A
Author: Florian Roth Description: Detects Pirpi Backdoor - and other malware (generic rule) Reference: http://goo.gl/igxLyF TLP: TLP:WHITE Repository: Neo23x0
Rule name: Pirpi_1609_A_RID2AE4
Author: Florian Roth Description: Detects Pirpi Backdoor - and other malware (generic rule) Reference: http://goo.gl/igxLyF TLP: TLP:WHITE
Rule name: Pirpi_1609_B
Author: Florian Roth Description: Detects Pirpi Backdoor Reference: http://goo.gl/igxLyF TLP: TLP:WHITE Repository: Neo23x0
Rule name: Pirpi_1609_B_RID2AE5
Author: Florian Roth Description: Detects Pirpi Backdoor Reference: http://goo.gl/igxLyF TLP: TLP:WHITE
Rule name: PlugX_J16_Gen2
Author: Florian Roth Description: Detects PlugX Malware Samples from June 2016 Reference: VT Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: PlugX_J16_Gen2_RID2BBC
Author: Florian Roth Description: Detects PlugX Malware Samples from June 2016 Reference: MISP 3954 TLP: TLP:WHITE
Rule name: PLUGX_RedLeaves
Author: US-CERT Code Analysis Team Description: Detects specific RedLeaves and PlugX binaries Reference: https://www.us-cert.gov/ncas/alerts/TA17-117A TLP: TLP:WHITE Repository: Neo23x0
Rule name: PoisonIvy_Sample_6
Author: Florian Roth Description: Detects PoisonIvy RAT sample set Reference: VT Analysis TLP: TLP:WHITE Repository: Neo23x0
Rule name: PoisonIvy_Sample_6_RID2E17
Author: Florian Roth Description: Detects PoisonIvy RAT sample set Reference: VT Analysis TLP: TLP:WHITE
Rule name: PortRacer
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file PortRacer.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: portscan
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file portscan.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: PortScanner
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file PortScanner.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: PoseidonGroup_Malware
Author: Florian Roth Description: Detects Poseidon Group Malware Reference: https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: POSHSPY_Malware
Author: Florian Roth Description: Detects Reference: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: POSHSPY_Malware_RID2C6F
Author: Florian Roth Description: Detects Reference: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html TLP: TLP:WHITE
Rule name: power_pe_injection
Author: Benjamin DELPY (gentilkiwi) Description: PowerShell with PE Reflective Injection TLP: TLP:WHITE Repository: Neo23x0
Rule name: PowerShdll
Author: Florian Roth Description: Detects hack tool PowerShdll Reference: https://github.com/p3nt4/PowerShdll TLP: TLP:WHITE Repository: Neo23x0
Rule name: PowerShell_ISESteroids_Obfuscation
Author: Florian Roth Description: Detects PowerShell ISESteroids obfuscation Reference: https://twitter.com/danielhbohannon/status/877953970437844993 TLP: TLP:WHITE Repository: Neo23x0
Rule name: PowerShell_ISESteroids_Obfuscation_RID347F
Author: Florian Roth Description: Detects PowerShell ISESteroids obfuscation Reference: https://twitter.com/danielhbohannon/status/877953970437844993 TLP: TLP:WHITE
Rule name: Powershell_Netcat
Author: Florian Roth Description: Detects a Powershell version of the Netcat network hacking tool TLP: TLP:WHITE Repository: Neo23x0
Rule name: Powershell_Netcat_RID2DF4
Author: Florian Roth Description: Detects a Powershell version of the Netcat network hacking tool Reference: - TLP: TLP:WHITE
Rule name: PP_CN_APT_ZeroT_3
Author: Florian Roth Description: Detects malware from the Proofpoint CN APT ZeroT incident Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx TLP: TLP:WHITE Repository: Neo23x0
Rule name: PP_CN_APT_ZeroT_3_RID2CCA
Author: Florian Roth Description: Detects malware from the Proofpoint CN APT ZeroT incident Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx TLP: TLP:WHITE
Rule name: PP_CN_APT_ZeroT_5
Author: Florian Roth Description: Detects malware from the Proofpoint CN APT ZeroT incident Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx TLP: TLP:WHITE Repository: Neo23x0
Rule name: PP_CN_APT_ZeroT_5_RID2CCC
Author: Florian Roth Description: Detects malware from the Proofpoint CN APT ZeroT incident Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx TLP: TLP:WHITE
Rule name: ProcessInjector_Gen
Author: Florian Roth Description: Detects a process injection utility that can be used ofr good and bad purposes Reference: https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c TLP: TLP:WHITE Repository: Neo23x0
Rule name: ProcessInjector_Gen_RID2EA7
Author: Florian Roth Description: Detects a process injection utility that can be used ofr good and bad purposes Reference: https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c TLP: TLP:WHITE
Rule name: ProPort_zip_Folder_ProPort
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file ProPort.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: PS_AMSI_Bypass
Author: Florian Roth Description: Detects PowerShell AMSI Bypass Reference: https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1 TLP: TLP:WHITE Repository: Neo23x0
Rule name: PS_AMSI_Bypass_RID2C0E
Author: Florian Roth Description: Detects PowerShell AMSI Bypass Reference: https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1 TLP: TLP:WHITE
Rule name: ps1_toolkit_Inveigh_BruteForce_2
Author: Florian Roth Description: Auto-generated rule - from files Inveigh-BruteForce.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE Repository: Neo23x0
Rule name: ps1_toolkit_Inveigh_BruteForce_2_RID3394
Author: Florian Roth Description: Semiautomatically generated YARA rule - from files Inveigh-BruteForce.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE
Rule name: ps1_toolkit_Inveigh_BruteForce_3
Author: Florian Roth Description: Auto-generated rule - from files Inveigh-BruteForce.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE Repository: Neo23x0
Rule name: ps1_toolkit_Inveigh_BruteForce_3_RID3395
Author: Florian Roth Description: Semiautomatically generated YARA rule - from files Inveigh-BruteForce.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE
Rule name: ps1_toolkit_Invoke_Mimikatz
Author: Florian Roth Description: Auto-generated rule - file Invoke-Mimikatz.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE Repository: Neo23x0
Rule name: ps1_toolkit_Invoke_Mimikatz_RID31FA
Author: Florian Roth Description: Semiautomatically generated YARA rule - file Invoke-Mimikatz.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE
Rule name: ps1_toolkit_Invoke_Shellcode
Author: Florian Roth Description: Auto-generated rule - file Invoke-Shellcode.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE Repository: Neo23x0
Rule name: ps1_toolkit_Invoke_Shellcode_RID3247
Author: Florian Roth Description: Semiautomatically generated YARA rule - file Invoke-Shellcode.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE
Rule name: ps1_toolkit_Persistence
Author: Florian Roth Description: Auto-generated rule - file Persistence.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE Repository: Neo23x0
Rule name: ps1_toolkit_Persistence_2
Author: Florian Roth Description: Auto-generated rule - from files Persistence.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE Repository: Neo23x0
Rule name: ps1_toolkit_Persistence_2_RID30FF
Author: Florian Roth Description: Semiautomatically generated YARA rule - from files Persistence.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE
Rule name: ps1_toolkit_Persistence_RID306E
Author: Florian Roth Description: Semiautomatically generated YARA rule - file Persistence.ps1 Reference: https://github.com/vysec/ps1-toolkit TLP: TLP:WHITE
Rule name: pstgdump
Author: Florian Roth Description: Detects a tool used by APT groups - file pstgdump.exe Reference: http://goo.gl/igxLyF TLP: TLP:WHITE Repository: Neo23x0
Rule name: pstgdump_RID2A85
Author: Florian Roth Description: Detects a tool used by APT groups - file pstgdump_RID2A85.exe Reference: http://goo.gl/igxLyF TLP: TLP:WHITE
Rule name: Pupy_Backdoor
Author: Florian Roth Description: Detects Pupy backdoor Reference: https://github.com/n1nj4sec/pupy-binaries TLP: TLP:WHITE Repository: Neo23x0
Rule name: Pupy_Backdoor_RID2C43
Author: Florian Roth Description: Detects Pupy backdoor Reference: https://github.com/n1nj4sec/pupy-binaries TLP: TLP:WHITE
Rule name: PwDump
Author: Marc Stroebel Description: PwDump 6 variant TLP: TLP:WHITE Repository: Neo23x0
Rule name: PwDump_B
Author: Florian Roth Description: Detects a tool used by APT groups - file PwDump.exe Reference: http://goo.gl/igxLyF TLP: TLP:WHITE Repository: Neo23x0
Rule name: PwDump_B_RID2A0F
Author: Florian Roth Description: Detects a tool used by APT groups - file PwDump.exe Reference: http://goo.gl/igxLyF TLP: TLP:WHITE
Rule name: QuarksPwDump_Gen
Author: Florian Roth Description: Detects all QuarksPWDump versions TLP: TLP:WHITE Repository: Neo23x0
Rule name: QuarksPwDump_Gen_RID2D5E
Author: Florian Roth Description: Detects all QuarksPWDump versions Reference: - TLP: TLP:WHITE
Rule name: Quasar_RAT_2
Author: Florian Roth Description: Detects Quasar RAT Reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: Quasar_RAT_2_RID2B55
Author: Florian Roth Description: Detects Quasar RAT Reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf TLP: TLP:WHITE
Rule name: RagnarLocker
Author: @bartblaze Description: Identifies RagnarLocker ransomware unpacked or in memory. TLP: TLP:WHITE Repository: bartblaze
Rule name: RAT_adWind
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects Adwind RAT Reference: http://malwareconfig.com/stats/adWind TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_Adzok
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects Adzok RAT Reference: http://malwareconfig.com/stats/Adzok TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_Ap0calypse
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects Ap0calypse RAT Reference: http://malwareconfig.com/stats/Ap0calypse TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_BlackShades
Author: Brian Wallace (@botnet_hunter) Description: Detects BlackShades RAT Reference: http://blog.cylance.com/a-study-in-bots-blackshades-net TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_BlueBanana
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects BlueBanana RAT Reference: http://malwareconfig.com/stats/BlueBanana TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_Bozok
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects Bozok RAT Reference: http://malwareconfig.com/stats/Bozok TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_ClientMesh
Author: Kevin Breen <kevin@techanarchy.net> (slightly modified by Florian Roth to improve performance) Description: Detects ClientMesh RAT Reference: http://malwareconfig.com/stats/ClientMesh TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_DarkComet
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects DarkComet RAT Reference: http://malwareconfig.com/stats/DarkComet TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_DarkRAT
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects DarkRAT Reference: http://malwareconfig.com/stats/DarkRAT TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_JavaDropper
Author: Kevin Breen <kevin@techanarchy.net> (slightly modified by Florian Roth to improve performance) Description: Detects JavaDropper RAT Reference: http://malwareconfig.com/stats/JavaDropper TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_LostDoor
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects LostDoor RAT Reference: http://malwareconfig.com/stats/LostDoor TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_Paradox
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects Paradox RAT Reference: http://malwareconfig.com/stats/Paradox TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_QRat
Author: Kevin Breen @KevTheHermit Description: Detects QRAT Reference: http://malwareconfig.com TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_ShadowTech
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects ShadowTech RAT Reference: http://malwareconfig.com/stats/ShadowTech TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_Sub7Nation
Author: Kevin Breen <kevin@techanarchy.net> (slightly modified by Florian Roth to improve performance) Description: Detects Sub7Nation RAT Reference: http://malwareconfig.com/stats/Sub7Nation TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_unrecom
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects unrecom RAT Reference: http://malwareconfig.com/stats/unrecom TLP: TLP:WHITE Repository: Neo23x0
Rule name: RAT_Vertex
Author: Kevin Breen <kevin@techanarchy.net> Description: Detects Vertex RAT Reference: http://malwareconfig.com/stats/Vertex TLP: TLP:WHITE Repository: Neo23x0
Rule name: RDP_Brute_Strings
Author: NCSC Description: Detects RDP brute forcer from NCSC report Reference: https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control TLP: TLP:WHITE Repository: Neo23x0
Rule name: RedDelta_loader
Author: Intezer Labs Reference: https://www.intezer.com TLP: TLP:WHITE Repository: Intezer
Rule name: REDLEAVES_CoreImplant_UniqueStrings
Author: USG Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state Reference: https://www.us-cert.gov/ncas/alerts/TA17-117A TLP: TLP:WHITE Repository: Neo23x0
Rule name: redSails_PY
Author: Florian Roth Description: Detects Red Sails Hacktool - Python Reference: https://github.com/BeetleChunks/redsails TLP: TLP:WHITE Repository: Neo23x0
Rule name: redSails_PY_RID2B50
Author: Florian Roth Description: Detects Red Sails Hacktool - Python Reference: https://github.com/BeetleChunks/redsails TLP: TLP:WHITE
Rule name: Reflective_DLL_Loader_Aug17_2
Author: Florian Roth Description: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Reflective_DLL_Loader_Aug17_2_RID3180
Author: Florian Roth Description: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack Reference: Internal Research TLP: TLP:WHITE
Rule name: Regin_Related_Malware
Author: Florian Roth Description: Malware Sample - maybe Regin related Reference: VT Analysis TLP: TLP:WHITE Repository: Neo23x0
Rule name: Regin_Related_Malware_RID2F4E
Author: Florian Roth Description: Malware Sample - maybe Regin related Reference: VT Analysis TLP: TLP:WHITE
Rule name: Rehashed_RAT_2
Author: Florian Roth Description: Detects malware from Rehashed RAT incident Reference: https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations TLP: TLP:WHITE Repository: Neo23x0
Rule name: Rehashed_RAT_2_RID2C0C
Author: Florian Roth Description: Detects malware from Rehashed RAT incident Reference: https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations TLP: TLP:WHITE
Rule name: RevengeRAT_Sep17
Author: Florian Roth Description: Detects RevengeRAT malware Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: RUAG_APT_Malware_Gen1_RID2E56
Author: Florian Roth Description: Detects malware used in the RUAG APT case Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case TLP: TLP:WHITE
Rule name: RUAG_APT_Malware_Gen2_RID2E57
Author: Florian Roth Description: Detects malware used in the RUAG APT case Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case TLP: TLP:WHITE
Rule name: RUAG_APT_Malware_Gen3_RID2E58
Author: Florian Roth Description: Detects malware used in the RUAG APT case Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case TLP: TLP:WHITE
Rule name: scanarator
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file scanarator.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: scanarator_iis
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file iis.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: ScanBox_Malware_Generic
Author: Florian Roth Description: Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP TLP: TLP:WHITE Repository: Neo23x0
Rule name: shimrat
Author: Yonathan Klijnsma (yonathan.klijnsma@fox-it.com) Description: Detects ShimRat and the ShimRat loader TLP: TLP:WHITE Repository: Neo23x0
Rule name: shimratreporter
Author: Yonathan Klijnsma (yonathan.klijnsma@fox-it.com) Description: Detects ShimRatReporter TLP: TLP:WHITE Repository: Neo23x0
Rule name: sig_238_2323
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file 2323.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: sig_238_findoor
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file findoor.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: sig_238_fscan
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file fscan.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: sig_238_letmein
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file letmein.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: sig_238_listip
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file listip.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: sig_238_RunAsEx
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file RunAsEx.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: sig_238_sqlcmd
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file sqlcmd.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: sig_238_token
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file token.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: sig_238_webget
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file webget.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: sig_238_xsniff
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file xsniff.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: Silence_malware_2
Author: Florian Roth Description: Detects malware sample mentioned in the Silence report on Securelist Reference: https://securelist.com/the-silence/83009/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: Silence_malware_2_RID2DAD
Author: Florian Roth Description: Detects malware sample mentioned in the Silence report on Securelist Reference: https://securelist.com/the-silence/83009/ TLP: TLP:WHITE
Rule name: Sofacy_Fybis_ELF_Backdoor_Gen1
Author: Florian Roth Description: Detects Sofacy Fysbis Linux Backdoor Reference: http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: Sofacy_Fybis_ELF_Backdoor_Gen1_RID3236
Author: Florian Roth Description: Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1 Reference: http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ TLP: TLP:WHITE
Rule name: sqlcheck
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file sqlcheck.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: SQLMap
Author: Florian Roth Description: This signature detects the SQLMap SQL injection tool TLP: TLP:WHITE Repository: Neo23x0
Rule name: Start2_net_mem
Author: James_inthe_box Description: SystemBC Reference: 7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e TLP: TLP:WHITE Repository: silence-is-best
Rule name: StealthWasp_s_Basic_PortScanner_v1_2
Author: yarGen Yara Rule Generator by Florian Roth Description: Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: StreamEx_ShellCrew
Author: Cylance Description: Detects a Reference: https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar TLP: TLP:WHITE Repository: Neo23x0
Rule name: STUXSHOP_config
Author: JAG-S (turla@chronicle.security) Reference: https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0 TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1
Author: Florian Roth Description: Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments Reference: https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: SUSP_Base64_Encoded_Hacktool_Dev
Author: Florian Roth Description: Detects a suspicious base64 encoded keyword Reference: https://twitter.com/cyb3rops/status/1270626274826911744 TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Base64_Encoded_Hacktool_Dev_RID32C3
Author: Florian Roth Description: Detects a suspicious base64 encoded keyword Reference: https://twitter.com/cyb3rops/status/1270626274826911744 TLP: TLP:WHITE
Rule name: SUSP_Disable_ETW_Jun20_1
Author: Florian Roth Description: Detects method to disable ETW in ENV vars before exeucting a program Reference: https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22
Author: Christian Burkard Description: Detects a suspicious pattern in RTF files which downloads external resources inside e-mail attachments Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Double_Base64_Encoded_Executable
Author: Florian Roth Description: Detects an executable that has been encoded with base64 twice Reference: https://twitter.com/TweeterCyber/status/1189073238803877889 TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Double_Base64_Encoded_Executable_RID34CC
Author: Florian Roth Description: Detects an executable that has been encoded with base64 twice Reference: https://twitter.com/TweeterCyber/status/1189073238803877889 TLP: TLP:WHITE
Rule name: SUSP_Encoded_Discord_Attachment_Oct21_1
Author: Florian Roth Description: Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN) Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_JDNIExploit_Error_Indicators_Dec21_1
Author: Florian Roth Description: Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation Reference: https://twitter.com/marcioalm/status/1470361495405875200?s=20 TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Netsh_PortProxy_Command
Author: Florian Roth Description: Detects a suspicious command line with netsh and the portproxy command Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Netsh_PortProxy_Command_RID3201
Author: Florian Roth Description: Detects a suspicious command line with netsh and the portproxy command Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy TLP: TLP:WHITE
Rule name: SUSP_OBFUSC_JS_Sept21_2
Author: Florian Roth Description: Detects JavaScript obfuscation as used in MalDocs by FIN7 group Reference: https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: SUSP_OBFUSC_PowerShell_True_Jun20_1
Author: Florian Roth Description: Detects indicators often found in obfuscated PowerShell scripts Reference: https://github.com/corneacristian/mimikatz-bypass/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_OBFUSC_PowerShell_True_Jun20_1_RID335E
Author: Florian Roth Description: Detects indicators often found in obfuscated PowerShell scripts Reference: https://github.com/corneacristian/mimikatz-bypass/ TLP: TLP:WHITE
Rule name: SUSP_PS1_JAB_Pattern_Jun22_1
Author: Florian Roth Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_PS1_Msdt_Execution_May22
Author: Nasreddine Bencherchali, Christian Burkard Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 Reference: https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Reversed_Base64_Encoded_EXE
Author: Florian Roth Description: Detects an base64 encoded executable with reversed characters Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Reversed_Hacktool_Author
Author: Florian Roth Description: Detects a suspicious path traversal into a Windows folder Reference: https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Reversed_Hacktool_Author_RID3261
Author: Florian Roth Description: Detects a suspicious path traversal into a Windows folder Reference: https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ TLP: TLP:WHITE
Rule name: SUSP_shellpop_Bash
Author: Tobias Michalski Description: Detects susupicious bash command Reference: https://github.com/0x00-0x00/ShellPop TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_Websites
Author: SECUINFRA Falcon Team Description: Detects the reference of suspicious sites that might be used to download further malware TLP: TLP:WHITE Repository: SIFalcon
Rule name: Suspicious_Script_Running_from_HTTP
Author: Florian Roth Description: Detects a suspicious Reference: https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100 TLP: TLP:WHITE Repository: Neo23x0
Rule name: Suspicious_Script_Running_from_HTTP_RID350E
Author: Florian Roth Description: Detects a suspicious Reference: https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100 TLP: TLP:WHITE
Rule name: SystemBC_Config
Author: @bartblaze Description: Identifies SystemBC RAT, decrypted config. TLP: TLP:WHITE Repository: bartblaze
Rule name: TA17_293A_malware_1
Author: US-CERT Code Analysis Team (modified by Florian Roth) Description: inveigh pen testing tools & related artifacts Reference: https://www.us-cert.gov/ncas/alerts/TA17-293A TLP: TLP:WHITE Repository: Neo23x0
Rule name: TeleBots_IntercepterNG
Author: Florian Roth Description: Detects TeleBots malware - IntercepterNG Reference: https://goo.gl/4if3HG TLP: TLP:WHITE Repository: Neo23x0
Rule name: TeleBots_IntercepterNG_RID2FAC
Author: Florian Roth Description: Detects TeleBots malware - IntercepterNG Reference: https://goo.gl/4if3HG TLP: TLP:WHITE
Rule name: Tofu_Backdoor
Author: Cylance Description: Detects Tofu Trojan Reference: https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: Trojan_Win32_Adupib
Author: Microsoft Description: Adupib SSL Backdoor TLP: TLP:WHITE
Rule name: Trojan_Win32_Plaplex
Author: Microsoft Description: Variant of the JPin backdoor TLP: TLP:WHITE
Rule name: Turla_APT_Malware_Gen1
Author: Florian Roth Description: Detects Turla malware (based on sample used in the RUAG APT case) Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case TLP: TLP:WHITE Repository: Neo23x0
Rule name: Turla_APT_Malware_Gen2
Author: Florian Roth Description: Detects Turla malware (based on sample used in the RUAG APT case) Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case TLP: TLP:WHITE Repository: Neo23x0
Rule name: Turla_APT_Malware_Gen3
Author: Florian Roth Description: Detects Turla malware (based on sample used in the RUAG APT case) Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case TLP: TLP:WHITE Repository: Neo23x0
Rule name: Unidentified_Malware_Two
Author: US CERT Description: Unidentified Implant by APT29 Reference: https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE TLP: TLP:WHITE Repository: Neo23x0
Rule name: Unit78020_Malware_Gen1
Author: Florian Roth Description: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule Reference: http://threatconnect.com/camerashy/?utm_campaign=CameraShy TLP: TLP:WHITE Repository: Neo23x0
Rule name: Unit78020_Malware_Gen1_RID2E84
Author: Florian Roth Description: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule Reference: http://threatconnect.com/camerashy/?utm_campaign=CameraShy TLP: TLP:WHITE
Rule name: Unit78020_Malware_Gen3
Author: Florian Roth Description: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong Reference: http://threatconnect.com/camerashy/?utm_campaign=CameraShy TLP: TLP:WHITE Repository: Neo23x0
Rule name: Unit78020_Malware_Gen3_RID2E86
Author: Florian Roth Description: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong Reference: http://threatconnect.com/camerashy/?utm_campaign=CameraShy TLP: TLP:WHITE
Rule name: UnPack_rar_Folder_InjectT
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file InjectT.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: UnPack_rar_Folder_TBack
Author: Florian Roth Description: Disclosed hacktool set (old stuff) - file TBack.DLL TLP: TLP:WHITE Repository: Neo23x0
Rule name: User_Function_String
Author: NCSC Description: Detects user function string from NCSC report Reference: https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control TLP: TLP:WHITE Repository: Neo23x0
Rule name: VBS_WMIExec_Tool_Apr17_1
Author: Florian Roth Description: Tools related to Operation Cloud Hopper Reference: https://github.com/maaaaz/impacket-examples-windows TLP: TLP:WHITE Repository: Neo23x0
Rule name: VBS_WMIExec_Tool_Apr17_1_RID2F44
Author: Florian Roth Description: Tools related to Operation Cloud Hopper Reference: https://github.com/maaaaz/impacket-examples-windows TLP: TLP:WHITE
Rule name: Venom_Rootkit
Author: Florian Roth Description: Venom Linux Rootkit Reference: https://security.web.cern.ch/security/venom.shtml TLP: TLP:WHITE Repository: Neo23x0
Rule name: Venom_Rootkit_RID2C61
Author: Florian Roth Description: Venom Linux Rootkit Reference: https://security.web.cern.ch/security/venom.shtml TLP: TLP:WHITE
Rule name: VSSown_VBS
Author: Florian Roth Description: Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere TLP: TLP:WHITE Repository: Neo23x0
Rule name: VSSown_VBS_RID2AAB
Author: Florian Roth Description: Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere Reference: - TLP: TLP:WHITE
Rule name: VUBrute_config
Author: Florian Roth Description: PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini Reference: http://goo.gl/xiIphp TLP: TLP:WHITE Repository: Neo23x0
Rule name: VUBrute_VUBrute
Author: Florian Roth Description: PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe TLP: TLP:WHITE Repository: Neo23x0
Rule name: VUL_JQuery_FileUpload_CVE_2018_9206
Author: Florian Roth Description: Detects JQuery File Upload vulnerability CVE-2018-9206 Reference: https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: VUL_JQuery_FileUpload_CVE_2018_9206_RID32A2
Author: Florian Roth Description: Detects JQuery File Upload vulnerability CVE-2018-9206 Reference: https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/ TLP: TLP:WHITE
Rule name: WaterBug_wipbot_2013_dll
Author: Symantec Security Response Description: Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component Reference: http://t.co/rF35OaAXrl TLP: TLP:WHITE Repository: Neo23x0
Rule name: WCE_in_memory
Author: Florian Roth Description: Detects Windows Credential Editor (WCE) in memory (and also on disk) Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: WCE_in_memory_RID2C1E
Author: Florian Roth Description: Detects Windows Credential Editor (WCE) in memory (and also on disk) Reference: Internal Research TLP: TLP:WHITE
Rule name: WCE_Modified_1_1014
Author: Florian Roth Description: Modified (packed) version of Windows Credential Editor TLP: TLP:WHITE Repository: Neo23x0
Rule name: WEBSHELL_APT_PHP_DEWMODE_UNC2546_Feb21_1
Author: Florian Roth Description: Detects DEWMODE webshells Reference: https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: WEBSHELL_ASPX_reGeorgTunnel
Author: threatintel@volexity.com Description: variation on reGeorgtunnel Reference: https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx TLP: TLP:WHITE
Rule name: WEBSHELL_ASPX_SportsBall
Author: threatintel@volexity.com Description: The SPORTSBALL webshell allows attackers to upload files or execute commands on the system. Reference: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: WEBSHELL_HAFNIUM_CISA_10328929_01
Author: CISA Code & Media Analysis Description: Detects CVE-2021-27065 Webshellz Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a TLP: TLP:WHITE
Rule name: WEBSHELL_PAS_webshell_SQLDumpFile
Author: FR/ANSSI/SDO Description: Detects SQL dump file created by P.A.S. webshell Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: WEBSHELL_PAS_webshell_ZIPArchiveFile
Author: FR/ANSSI/SDO (modified by Florian Roth) Description: Detects an archive file created by P.A.S. for download operation Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf TLP: TLP:WHITE Repository: Neo23x0
Rule name: WEBSHELL_PHP_DEWMODE_UNC2546_Feb21_1_RID3187
Author: Florian Roth Description: Detects DEWMODE webshells Reference: https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html TLP: TLP:WHITE
Rule name: WEBSHELL_ProxyShell_Exploitation_Nov21_1
Author: Florian Roth Description: Detects webshells dropped by DropHell malware Reference: https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside TLP: TLP:WHITE Repository: Neo23x0
Rule name: WiltedTulip_powershell
Author: Florian Roth Description: Detects powershell script used in Operation Wilted Tulip Reference: http://www.clearskysec.com/tulip TLP: TLP:WHITE Repository: Neo23x0
Rule name: WiltedTulip_powershell_RID302C
Author: Florian Roth Description: Detects powershell script used in Operation Wilted Tulip Reference: http://www.clearskysec.com/tulip TLP: TLP:WHITE
Rule name: WiltedTulip_ReflectiveLoader
Author: Florian Roth Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Reference: http://www.clearskysec.com/tulip TLP: TLP:WHITE Repository: Neo23x0
Rule name: WiltedTulip_Windows_UM_Task
Author: Florian Roth Description: Detects a Windows scheduled task as used in Operation Wilted Tulip Reference: http://www.clearskysec.com/tulip TLP: TLP:WHITE Repository: Neo23x0
Rule name: WiltedTulip_Windows_UM_Task_RID31C5
Author: Florian Roth Description: Detects a Windows scheduled task as used in Operation Wilted Tulip Reference: http://www.clearskysec.com/tulip TLP: TLP:WHITE
Rule name: WiltedTulip_WindowsTask
Author: Florian Roth Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Reference: http://www.clearskysec.com/tulip TLP: TLP:WHITE Repository: Neo23x0
Rule name: WiltedTulip_WindowsTask_RID3065
Author: Florian Roth Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Reference: http://www.clearskysec.com/tulip TLP: TLP:WHITE
Rule name: classified Author: classified TLP TLP:GREEN
Rule name: win_badnews_w0
Author: Florian Roth Reference: http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2 TLP: TLP:WHITE Repository: Malpedia
Rule name: win_bs2005_w0
Author: Florian Roth Description: Detects malware from APT 15 report by NCC Group Reference: https://goo.gl/HZ5XMN TLP: TLP:WHITE Repository: Malpedia
Rule name: win_crackshot_w0
Author: Florian Roth Description: Detects APT41 malware CRACKSHOT Reference: https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html TLP: TLP:WHITE Repository: Malpedia
Rule name: win_csext_w0
Author: Cylance Inc. Description: Backdoor used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Malpedia
Rule name: classified Author: classified TLP TLP:GREEN
Rule name: win_dispenserxfs_w0
Author: @Xylit0l @r3c0nst / Modified by Florian Roth Description: Detects ATM Malware DispenserXFS Reference: https://twitter.com/r3c0nst/status/1100775857306652673 TLP: TLP:WHITE Repository: Malpedia
Rule name: win_doublepulsar_w0
Author: Florian Roth Description: Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server. Reference: https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html TLP: TLP:WHITE Repository: Malpedia
Rule name: win_gazer_w1
Author: ESET Research Description: Turla Gazer malware Reference: https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/ TLP: TLP:WHITE Repository: Malpedia
Rule name: win_ghole_w0
Author: Florian Roth Description: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Reference: http://goo.gl/NpJpVZ TLP: TLP:WHITE Repository: Malpedia
Rule name: classified Author: classified TLP TLP:GREEN
Rule name: win_iceid_core_ldr_202104
Author: Thomas Barabosch, Telekom Security Description: 2021 loader for Bokbot / Icedid core (license.dat) TLP: TLP:WHITE Repository: Sandnet
Rule name: win_industroyer_w3
Author: Dragos Inc Description: IEC-104 Interaction Module Program Strings Reference: https://dragos.com/blog/crashoverride/ TLP: TLP:WHITE Repository: Malpedia
Rule name: win_ismdoor_w0
Author: Florian Roth Reference: https://goo.gl/urp4CD TLP: TLP:WHITE Repository: Malpedia
Rule name: win_jasus_w0
Author: Cylance Inc. Description: ARP cache poisoner used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Malpedia
Rule name: win_kagent_w0
Author: Cylance Inc. Description: Backdoor used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Malpedia
Rule name: win_keyboy_w0
Author: Florian Roth Reference: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html TLP: TLP:WHITE Repository: Malpedia
Rule name: win_lockergoga_w0
Author: Florian Roth Description: Detects LockerGoga ransomware binaries Reference: https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202 TLP: TLP:WHITE Repository: Malpedia
Rule name: win_naikon_w1
Author: Seth Hardy Description: Naikon Identifying Strings TLP: TLP:WHITE Repository: Malpedia
Rule name: win_netwire_w0
Author: Jean-Philippe Teissier / @Jipe_ Description: NetWiredRC TLP: TLP:WHITE Repository: Malpedia
Rule name: win_pngdowner_w0
Author: CrowdStrike, Inc. Description: PUTTER PANDA - PNGDOWNER TLP: TLP:WHITE Repository: Malpedia
Rule name: Win_PrivEsc_folderperm
Author: Florian Roth Description: Detects a tool that can be used for privilege escalation - file folderperm.ps1 Reference: http://www.greyhathacker.net/?p=738 TLP: TLP:WHITE Repository: Neo23x0
Rule name: Win_PrivEsc_folderperm_RID2FE9
Author: Florian Roth Description: Detects a tool that can be used for privilege escalation - file folderperm.ps1 Reference: http://www.greyhathacker.net/?p=738 TLP: TLP:WHITE
Rule name: Win_PrivEsc_gp3finder_v4_0
Author: Florian Roth Description: Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe Reference: http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: Win_PrivEsc_gp3finder_v4_0_RID30D3
Author: Florian Roth Description: Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe Reference: http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/ TLP: TLP:WHITE
Rule name: win_ratankbapos_w0
Author: Threat Exchange http://blog.trex.re.kr/3 Description: hkp.dll TLP: TLP:WHITE Repository: Malpedia
Rule name: win_rgdoor_w0
Author: Florian Roth Description: Detects RGDoor backdoor used by OilRig group Reference: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ TLP: TLP:WHITE Repository: Malpedia
Rule name: win_robinhood_w0
Author: anonymous submission Description: Unpacked RobinHood ransomware TLP: TLP:WHITE Repository: Malpedia
Rule name: win_royal_dns_w0
Author: Florian Roth Description: Detects malware from APT 15 report by NCC Group Reference: https://goo.gl/HZ5XMN TLP: TLP:WHITE Repository: Malpedia
Rule name: win_royalcli_w0
Author: Florian Roth Description: Detects malware from APT 15 report by NCC Group Reference: https://goo.gl/HZ5XMN TLP: TLP:WHITE Repository: Malpedia
Rule name: win_stuxnet_w0
Author: JAG-S (turla@chronicle.security) Description: Stuxshop standalone sample configuration TLP: TLP:WHITE Repository: Malpedia
Rule name: win_syscon_w0
Author: Florian Roth Reference: https://goo.gl/JAHZVL TLP: TLP:WHITE Repository: Malpedia
Rule name: win_tinyzbot_w0
Author: Cylance Inc. Description: Tiny Bot used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Malpedia
Rule name: win_tinyzbot_w1
Author: Cylance Description: http://cylance.com/opcleaver TLP: TLP:WHITE Repository: Malpedia
Rule name: win_xxmm_w0
Author: Florian Roth Description: Detects malware / hacktool sample from Bronze Butler incident TLP: TLP:WHITE Repository: Malpedia
Rule name: win_yty_w0
Author: James E.C, ProofPoint Description: Modular malware framework with similarities to EHDevel TLP: TLP:WHITE Repository: Malpedia
Rule name: win_zerot_w0
Author: Florian Roth Description: Detects malware from the Proofpoint CN APT ZeroT incident Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx TLP: TLP:WHITE Repository: Malpedia
Rule name: win_zhmimikatz_w0
Author: Cylance Inc. Description: Mimikatz wrapper used by attackers in Operation Cleaver Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf TLP: TLP:WHITE Repository: Malpedia
Rule name: win_zxshell_w0
Author: Florian Roth Reference: https://blogs.rsa.com/cat-phishing/ TLP: TLP:WHITE Repository: Malpedia
Rule name: WindosShell_s1
Author: Florian Roth Description: Detects simple Windows shell - file s1.exe Reference: https://github.com/odzhan/shells/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: WindosShell_s1_RID2C80
Author: Florian Roth Description: Detects simple Windows shell - file s1.exe Reference: https://github.com/odzhan/shells/ TLP: TLP:WHITE
Rule name: Windows_Credentials_Editor
Author: @bartblaze Description: Identifies Windows Credentials Editor (WCE), post-exploitation tool. Reference: https://www.ampliasecurity.com/research/windows-credentials-editor/ TLP: TLP:WHITE Repository: MalwareBazaar
Rule name: WindowsShell_Gen
Author: Florian Roth Description: Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe Reference: https://github.com/odzhan/shells/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: WindowsShell_Gen_RID2D6D
Author: Florian Roth Description: Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe Reference: https://github.com/odzhan/shells/ TLP: TLP:WHITE
Rule name: WindowsShell_Gen2
Author: Florian Roth Description: Detects simple Windows shell - from files s3.exe, s4.exe Reference: https://github.com/odzhan/shells/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: WindowsShell_Gen2_RID2D9F
Author: Florian Roth Description: Detects simple Windows shell - from files s3.exe, s4.exe Reference: https://github.com/odzhan/shells/ TLP: TLP:WHITE
Rule name: WindowsShell_s3
Author: Florian Roth Description: Detects simple Windows shell - file s3.exe Reference: https://github.com/odzhan/shells/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: WindowsShell_s3_RID2CF9
Author: Florian Roth Description: Detects simple Windows shell - file s3.exe Reference: https://github.com/odzhan/shells/ TLP: TLP:WHITE
Rule name: Winnti_NlaifSvc
Author: Florian Roth Description: Winnti sample - file NlaifSvc.dll Reference: https://goo.gl/VbvJtL TLP: TLP:WHITE Repository: Neo23x0
Rule name: Winnti_NlaifSvc_RID2CFF
Author: Florian Roth Description: Winnti sample - file NlaifSvc.dll Reference: https://goo.gl/VbvJtL TLP: TLP:WHITE
Rule name: WMImplant
Author: Florian Roth Description: Auto-generated rule - file WMImplant.ps1 Reference: https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: WMImplant_RID2A8A
Author: Florian Roth Description: Detects WMI implant- file WMImplant_RID2A8A.ps1 Reference: https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html TLP: TLP:WHITE
Rule name: WoolenGoldfish_Generic_3
Author: Florian Roth Description: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Reference: http://goo.gl/NpJpVZ TLP: TLP:WHITE Repository: Neo23x0
Rule name: WoolenGoldfish_Sample_1
Author: Florian Roth Description: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Reference: http://goo.gl/NpJpVZ TLP: TLP:WHITE Repository: Neo23x0
Rule name: WoolenGoldfish_Sample_1_RID3006
Author: Florian Roth Description: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Reference: http://goo.gl/NpJpVZ TLP: TLP:WHITE
Rule name: Ysoserial_Payload
Author: Florian Roth Description: Ysoserial Payloads Reference: https://github.com/frohoff/ysoserial TLP: TLP:WHITE Repository: Neo23x0
Rule name: Ysoserial_Payload_3
Author: Florian Roth Description: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin Reference: https://github.com/frohoff/ysoserial TLP: TLP:WHITE Repository: Neo23x0
Rule name: Ysoserial_Payload_3_RID2E87
Author: Florian Roth Description: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin Reference: https://github.com/frohoff/ysoserial TLP: TLP:WHITE
Rule name: Ysoserial_Payload_RID2DF5
Author: Florian Roth Description: Ysoserial Payloads Reference: https://github.com/frohoff/ysoserial TLP: TLP:WHITE
Rule name: Ysoserial_Payload_Spring1
Author: Florian Roth Description: Ysoserial Payloads - file Spring1.bin Reference: https://github.com/frohoff/ysoserial TLP: TLP:WHITE Repository: Neo23x0
Rule name: Ysoserial_Payload_Spring1_RID30F8
Author: Florian Roth Description: Ysoserial Payloads - file Spring1.bin Reference: https://github.com/frohoff/ysoserial TLP: TLP:WHITE
Rule name: Z_WebShell
Author: NCSC Description: Detects Z Webshell from NCSC report Reference: https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control TLP: TLP:WHITE Repository: Neo23x0
Rule name: ZxShell_Jul17
Author: Florian Roth Description: Detects a ZxShell - CN threat group Reference: https://blogs.rsa.com/cat-phishing/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: ZxShell_Jul17_RID2BCD
Author: Florian Roth Description: Detects a ZxShell - CN threat group Reference: https://blogs.rsa.com/cat-phishing/ TLP: TLP:WHITE
The following YARA rules matched on the unpacked file.
No matches
Unpacked Files
The following files could be unpacked from this sample.
No unpacked files found