signature-base
Loki
Our great sponsors
| signature-base | Loki | |
|---|---|---|
| 12 | 12 | |
| 2,320 | 3,213 | |
| - | - | |
| 9.2 | 5.7 | |
| 13 days ago | about 2 months ago | |
| YARA | Python | |
| GNU General Public License v3.0 or later | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
signature-base
-
Xzbot: Notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
> It doesn't matter.
To understand the exact behavior and extend of the backdoor, this does matter. An end to end proof of how it works is exactly what was needed.
> A way to check if servers are vulnerable is probably by querying the package manager
Yes, this has been know since the initial report + later discovering what exact strings are present for the payload.
https://github.com/Neo23x0/signature-base/blob/master/yara/b...
> Not very sophisticated, but it'll work.
Unfortunately, we live in a world with closed-servers and appliances - being able as a customer or pen tester rule out certain class of security issues without having the source/insights available is usually desirable.
- Exploit Outlook CVE-2023-23397 Yara - to detect .msg files exploiting CVE-2023-23397 in Microsoft Outlook
- OneNote Yara rule
-
New Exchange Zero Day rumours [29th September]
* Run the following YARA rules over your logs and aspx files in INSTALL_DIRECTORY/Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\ https://github.com/Neo23x0/signature-base/blob/master/yara/expl_proxyshell.yar
-
Nvidia Breach
If you have a Yara detection platform, Florian Roth’s rules should detect executables signed with this. https://github.com/Neo23x0/signature-base/blob/master/yara/gen_nvidia_leaked_cert.yar.
-
Evidence of a log4j attack found - Now what?
Uses these YARA rules to read JAR, LOG, and TXT files on the system, throwing warnings if any log4shell-looking payloads are found based on those various rules.
- Yara rule to detect ProxyToken exploitation
-
APT29 / NOBELIUM VirusTotal retro hunt results using 12 newly release Yara rules
Rules https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt29_nobelium_may21.yar
- What are the best FOSS YARA rules you would recommend to deploy?
Loki
-
My Boss Downloaded and Opened a .lnk File and Installed a Malware in His Device
You should run a tool like loki for ioc scanning. This will identify persistence https://github.com/Neo23x0/Loki
-
Deep system malware detection
Link to Loki is here just in case you need it. https://github.com/Neo23x0/Loki
-
What are some of the most frequently used (or favorite) tools in your toolbox?
Loki - YARA/IOC scanner
-
PChunter equivalent on Linux?
loki
- Rage about CVE dataset quality(?)
-
Cybersecurity professionals - what’s your “toolkit”/process to check a desktop PC is clean (or infected), before concluding that a reinstall of the OS is needed?
https://github.com/Neo23x0/Loki is a good tool to check for the presence of anomalies.
-
Which rootkit scanner to use in a could environment ?
Nextron Thor Scanner
-
Proxyshell Vulnerability is Actively used in Exchange servers
Loki - Yara Scanning is recommended for checking the webshell https://github.com/Neo23x0/Loki
-
Question about spyware
I am not an expert, but this is what I would start by doing. Ideally, if you can read javascript, try and understand what the tampermonkey script does. If you still have script, you could try analysing it with tools such as loki. Even if loki doesnt match it you could compute the sha256 signature and look it up on valhalla.
- Is it possible to write an antivirus in python?
What are some alternatives?
malware-ioc - Indicators of Compromises (IOC) of our various investigations
yara - The pattern matching swiss knife
awesome-yara - A curated list of awesome YARA rules, tools, and people.
reversinglabs-yara-rules - ReversingLabs YARA Rules
ThreatHunting - Tools for hunting for threats.
hazedumper - up to date csgo offsets and hazedumper config
Veil-Evasion - Veil Evasion is no longer supported, use Veil 3.0!
audit-node-modules-with-yara - Audit Node Module folder with YARA rules to identify possible malicious packages hiding in node_moudles
pyHanko - pyHanko: sign and stamp PDF files
yara-python - The Python interface for YARA
Veil - Veil 3.1.X (Check version info in Veil at runtime)