Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changed/added numerous signatarures/YARA #363

Merged
merged 158 commits into from
Mar 7, 2024
Merged

Changed/added numerous signatarures/YARA #363

merged 158 commits into from
Mar 7, 2024

Conversation

RoemIko
Copy link
Contributor

@RoemIko RoemIko commented Jun 16, 2023

While I was working on my thesis I have added numerous YARA rules to detect malicious docs or HTML files. I also rewrote some rules that were causing false positives.

Credits of added rules:

  • hiddenillusion
  • InQuest Labs
  • Florian Roth
  • delivr.to
  • DhaeyerWolf
  • bartblaze
  • imp0rtp3
  • AlienVault

Please review the rules and make changes if neccesarry

YasinEYE and others added 30 commits March 24, 2023 16:38
@YasinEYE
windows_util and encrypted_ioc changes to whitelisting for false posi…
2491cd3 
…tives
@YasinEYE
import re2 or re
681b8fe
@YasinEYE
typo in utilities, windows_utilties
20a9451
@YasinEYE
added whitelist for Internet Explorer since this is not a suspicious …
4bcae86 
…command
@YasinEYE
added whitelist for Internet Explorer since this is not a suspicious …
261453f 
…command
@YasinEYE
fixed typos in windows_utilities, removed false positives
54bc8ab
@YasinEYE
test signatures based on strings
7b5c572
@YasinEYE
added phishingkit rule for one type of phishing kit
6e7c0ae
@RoemIko
Merge branch 'CAPESandbox:master' into staging
64a653a
@YasinEYE
added phishingkit rule for one type of phishing kit
564834c
@YasinEYE
added phishingkit rule for one type of phishing kit
3dad853
@YasinEYE
Added second phishing kit detection
1a1a4ff
@YasinEYE
Added third phishing kit detections and config extractor, made sepera…
4fe95ac 
…te files for suspicious signatures
@YasinEYE
changed windows utilies with helpers
5753cb8
@YasinEYE
Improved regex to extract config out of phishing kits
38c38ee
@YasinEYE
renamed phishing kits so its easier to remember them
8fd9c96
@YasinEYE
Changed windows utitilies schtask whenever the process schtasks is ca…
8023bc3 
…lled.
@YasinEYE
small improvements to HTML obfuscations
0f429e3
@YasinEYE
Changed HTML confidence
463dd76
@YasinEYE
improvements to phishing kit
940d719
@YasinEYE
improvements to phishing kit
324ef17
@YasinEYE
improvements to phishing kit
225de0c
@YasinEYE
improvements to phishing kit
be7d498
@YasinEYE
improvements to phishing kit
7c4a2a9
@YasinEYE
changes to file obfuscation
30693f6
@YasinEYE
Added YARA signature for obfuscated JS
3399b25
@YasinEYE
Added suspicious indicators for html files
73b19f5
@YasinEYE
Added extra YARA rules
5890235
@YasinEYE
Added extra YARA rules
a03ed32
@YasinEYE
Added extra YARA rules
012db3c
YasinEYE and others added 26 commits May 25, 2023 14:15
@YasinEYE
added whitelist in infostealer cookie
42a079a
@YasinEYE
added whitelist in infostealer cookie
c325fd7
@YasinEYE
added whitelist in infostealer cookie
3d8bd13
@YasinEYE
added whitelist in infostealer cookie
e0cbcf7
@YasinEYE
added whitelist in infostealer cookie
22b55ee
@YasinEYE
Rewrote antivm system
b204936
@YasinEYE
added whitelist in infostealer cookie
468cfe6
@YasinEYE
added whitelist in infostealer cookie
300dc25
@YasinEYE
Rewrote antivm system
2e3f61f
@YasinEYE
generic disk antivm FP tuning
126b8a4
@RoemIko
Merge branch 'CAPESandbox:master' into staging
a7c50e1
@YasinEYE
generic CPU antivm FP tuning
7f97223
@YasinEYE
Merge branch 'staging' of https://github.com/RoemIko/community into s…
c7cba22 
…taging
@YasinEYE
stealth file FP tuning
bd28fea
@YasinEYE
stealth file FP tuning
a8a9974
@YasinEYE
procmem_yara signature lowered severity as nothing goes past 3
c9c0458
@YasinEYE
antivm network added adobe
68b09d5
@YasinEYE
browser_proxy FP tuning added whitelisted processes
3467d24
@YasinEYE
browser_proxy FP tuning added whitelisted processes
9bc2b95
@YasinEYE
browser_proxy FP tuning added whitelisted processes
95939bf
@RoemIko
Merge branch 'CAPESandbox:master' into staging
48499aa
@YasinEYE
changed code naming for standardization in suspicioushtml
1d1d324
@RoemIko
Merge branch 'CAPESandbox:master' into staging
0f1d392
@YasinEYE
added another phishing kit extractor
d4e7227
@YasinEYE
Logic typo in html phish
12717f5
@YasinEYE
added Remmitance as sus
9b95a87
@kevoreilly
Copy link
Collaborator

Thank you for this epic PR ❤️ although it may take a while to test 😄 but hopefully will get it merged soon!

@doomedraven doomedraven merged commit 1d5e2cd into CAPESandbox:master Mar 7, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@RoemIko @kevoreilly @doomedraven @YasinEYE