### Filename-Based IOC List Initialization Logic Source: https://github.com/neo23x0/signature-base/blob/master/iocs/README.txt Files within the `/neo23x0/signature-base` directory are automatically initialized as specific Indicator of Compromise (IOC) lists. The presence of keywords like 'hash', 'filename', or 'c2' in a file's name determines its type, enabling automated processing of different threat intelligence data. This pseudo-code illustrates the underlying logic. ```Pseudo-code function initializeFile(filename): if "hash" in filename: return "hash IOC list" else if "filename" in filename: return "filename IOC list" else if "c2" in filename: return "C2 server IOC list" else: return "unknown IOC list type" ``` -------------------------------- ### Signature-Base FAQ: THOR Lite vs. LOKI Comparison Source: https://github.com/neo23x0/signature-base/blob/master/README.md This FAQ entry addresses the differences between THOR Lite and LOKI scanners, which utilize Signature-Base. Users are directed to an external comparison table for detailed information on their features and capabilities. ```APIDOC See our comparison table [here](https://www.nextron-systems.com/compare-our-scanners/). ``` -------------------------------- ### Signature-Base FAQ: Report False Positives Source: https://github.com/neo23x0/signature-base/blob/master/README.md This FAQ entry provides instructions on how to report false positives encountered with Signature-Base rules. Users are directed to utilize the issues section of the repository for submitting reports. ```APIDOC Use the issues section of this repository. ``` -------------------------------- ### Signature-Base FAQ: Submit YARA Rules or IOCs Source: https://github.com/neo23x0/signature-base/blob/master/README.md This FAQ entry outlines the method for providing new YARA rules or IOCs to the Signature-Base repository. The maintainer accepts contributions via pull requests, with a linked external resource for guidance on creating such requests. ```APIDOC I accept pull requests. See this [thread](https://twitter.com/cyb3rops/status/1320657673742897153) for some help on how to create such a request. ``` -------------------------------- ### Signature-Base Project Overview Source: https://github.com/neo23x0/signature-base/blob/master/README.md This section introduces Signature-Base, a YARA signature and IOC database designed for LOKI and THOR Lite scanners. It emphasizes the project's commitment to high-quality rules, minimal false positives, and a clear, consistent format. ```Markdown Signature-Base is the YARA signature and IOC database for our scanners [LOKI](https://github.com/Neo23x0/Loki) and [THOR Lite](https://www.nextron-systems.com/thor-lite/) ``` -------------------------------- ### Signature-Base Directory Structure Reference Source: https://github.com/neo23x0/signature-base/blob/master/README.md This section outlines the directory structure of the Signature-Base repository, detailing the purpose of each main directory. It helps users understand where to find specific types of files, such as IOCs, YARA rules, and threat intelligence components. ```APIDOC - iocs - Simple IOC files (CSV) - yara - YARA rules - threatintel - Threat Intel API Receiver (MISP, OTX) - misc - Other input files (not IOCs or signatures) ``` -------------------------------- ### Mimikatz Detection Keywords Source: https://github.com/neo23x0/signature-base/blob/master/iocs/keywords.txt Strings and commands commonly associated with Mimikatz, a post-exploitation tool for credential dumping. Detection of these keywords can indicate the presence or use of Mimikatz on a system. ```plaintext eo.oe.kiwi ``` ```plaintext <3 eo.oe ``` ```plaintext mimilib ``` ```plaintext privilege::debug ``` ```plaintext sekurlsa::LogonPasswords ``` ```plaintext sekurlsa::logonpasswords ``` -------------------------------- ### Signature-Base FAQ: Contribute Bug Fixes Source: https://github.com/neo23x0/signature-base/blob/master/README.md This FAQ entry explains the process for contributing bug fixes to Signature-Base rules. Users can directly edit files in the repository and submit a pull request to propose changes. ```APIDOC Navigate to the file in this repository. Click on the "edit" symbol in the upper right corner. Edit the file and create a pull request. ``` -------------------------------- ### Powershell Mimikatz Command Source: https://github.com/neo23x0/signature-base/blob/master/iocs/keywords.txt A PowerShell command for executing Mimikatz functionality, often used for credential access. This specific cmdlet is a common indicator of Mimikatz being run via PowerShell. See https://adsecurity.org/?p=2604 for more context. ```powershell Invoke-Mimikatz ``` -------------------------------- ### MoonBounce APT IOCs from Securelist Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This list details Indicators of Compromise (IOCs) associated with the MoonBounce APT, as documented by Securelist. These domains and IP addresses are linked to the UEFI firmware implant and its command-and-control infrastructure. Implementing these IOCs helps in detecting and preventing communication with MoonBounce C2 servers. ```IOCs mb.glbaitech.com ns.glbaitech.com dev.kinopoisksu.com st.kinopoisksu.com 188.166.61.146 172.107.231.236 193.29.57.161 136.244.100.127 217.69.10.104 92.38.178.246 m.necemarket.com 172.105.94.67 holdmem.dbhubspi.com 5.188.93.132 5.189.222.33 5.183.103.122 5.188.108.228 45.128.132.6 92.223.105.246 5.183.101.21 5.183.101.114 45.128.135.15 5.188.108.22 70.34.201.16 ``` -------------------------------- ### Signature-Base License Information Source: https://github.com/neo23x0/signature-base/blob/master/README.md This section details the licensing terms for the Signature-Base repository, indicating a switch to 'Detection Rule License (DRL) 1.1' as of August 13, 2021. It specifies that all signatures and IOC files, unless otherwise noted in YARA rule metadata, are covered by this license. ```APIDOC On 13.08.2021 this repository switched its license to "Detection Rule License (DRL) 1.1" (URL: [https://raw.githubusercontent.com/Neo23x0/signature-base/master/LICENSE](https://raw.githubusercontent.com/Neo23x0/signature-base/master/LICENSE)). The last version of the rule set released under the old CC-BY-NC can be found [here](https://github.com/Neo23x0/signature-base/releases/tag/v2.0). All signatures and IOC files in this repository, except the YARA rules that explicitly indicate a different license (see "license" meta data), are licensed under the [Detection Rule License (DRL) 1.1](https://raw.githubusercontent.com/Neo23x0/signature-base/master/LICENSE). ``` -------------------------------- ### Detect General Malicious Domains and IPs Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This list contains a broad collection of various malicious domains and IP addresses identified as part of the /neo23x0/signature-base project. These indicators can be used to identify and block connections to known malicious infrastructure, including potential C2 servers, phishing sites, or other threat actor controlled assets. Regularly updating this list is crucial for maintaining effective network security. ```Plaintext www.registrations.organiccrap.com www.remeberdata.iownyour.org www.reserveds.onedumb.com www.rethem.almostmy.com www.rg197.win www.sakai.unhamj.com www.sakuranorei.com www.sapporo.cloud-maste.com www.sauerkraut.sellclassics.com www.saverd.re26.com www.sbuudd.webssl9.info www.sdmsg.onmypc.org www.se.toythieves.com www.secertnews.mrbasic.com www.secnetshit.com www.secserverupdate.toh.info www.senseye.ikwb.com www.senseye.mrbonus.com www.septdlluckysystem.jungleheart.com www.seraphim-yurieva.justdied.com www.serv.justdied.com www.server1.proxydns.com www.seyesb.acmetoy.com www.showy.almostmy.com www.shugiin.jkub.com www.sindeali.com www.singed.otzo.com www.sojourner.mypicture.info www.sstday.jkub.com www.support1.mrface.com www.supportus.mefound.com www.svc.dynssl.com www.sweetheart.sexxxy.biz www.synssl.dnset.com www.tamraj.fartit.com www.telegraph.mefound.com www.tendonsof.com www.tfa.longmusic.com www.thunder.wikaba.com www.ticket.instanthq.com www.ticket.serveuser.com www.tisupdateinfo.faqserv.com www.tokyofile.2waky.com www.transfer.mrbasic.com www.twgovernmentinfo.acmetoy.com www.twmusic.proxydns.com www.twsslpopservupro.dynssl.com www.twx.mynumber.org www.unhamj.com www.usa.itsaol.com www.usa.japanteam.org www.usffunicef.com www.ut-portal-u-tokyo-ac-jp.tyoto-go-jp.com www.v4.windowsupdate.mrface.com www.v4.windowsupdate.nsatcdns.com www.visualstudio.authorizeddns.net www.vmmini.com www.wchildress.com www.webdirectnews.dynamicdns.biz www.webmailentry.jetos.com www.websqlnewsmanager.ninth.biz www.well.mrbasic.com www.windowsimages.qhigh.com www.windowsupdate.acmetoy.com www.windowsupdate.authorizeddns.net www.windowsupdate.authorizeddns.org www.windowsupdate.dnset.com www.windowsupdate.ezua.com www.windowsupdate.fartit.com www.windowsupdate.gettrials.com www.windowsupdate.instanthq.com www.windowsupdate.itsaol.com www.windowsupdate.jungleheart.com www.windowsupdate.lflink.com www.windowsupdate.mrface.com www.windowsupdate.mylftv.com www.windowsupdate.nsatcdns.com www.windowsupdate.organiccrap.com www.windowsupdate.rebatesrule.net www.windowsupdate.sellclassics.com www.windowsupdate.serveusers.com www.windowsupdate.x24hr.com www.wordpress.zzux.com www.yacooll.com www.yahoo.incloud-go.com www.yahooip.net www.yahooprotect.com www.yahooprotect.net www.yandexr.sellclassics.com www.yeahyeahyeahs.3322.org www.yokohamajpinstaz.mrbonus.com www.zaigawebinfo.rebatesrule.net www.zebra.incloud-go.com www2.qpoe.com www2.zyns.com www2.zzux.com x7.usyahooapis.com xc.chromeenter.com xi.dyndns.pro xi.sexxxy.biz xread10821.9966.org xt.dnset.com xyrn998754.2288.org yahoo.incloud-go.com yallago.cu.cc yandexr.sellclassics.com yeahyeahyeahs.3322.org yeap1.jumpingcrab.com yfrfyhf.youdontcare.com yo.acmetoy.com yugoogless.3322.org yunwu1.xicp.net yz.chromeenter.com za.myftp.info zabbix.servercontrols.pw zaigawebinfo.rebatesrule.net zebra.bdoncloud.com zebra.incloud-go.com zebra.unhamj.com zebra.usffunicef.com zebra.wthelpdesk.com zero.pcanywhere.net zg.ns02.biz zone.demoones.com ``` -------------------------------- ### Retrieve and Utilize LOKI C2 Server Indicators of Compromise Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This snippet provides a raw list of C2 server domains and IP addresses, categorized by the threat intelligence report from which they were derived. The format is plain text, with comments (#) indicating the source of the IOCs. This data is intended for direct integration into security tools, firewalls, or SIEM systems to enhance detection and prevention capabilities against known malicious infrastructure. ```Plain Text # # LOKI C2 IOCs # This file contains C2 server and decription # # FORMAT ----------------------------------------------------------------------- # # # COMMENT # c2-server.tld # ip-address # # FireEye Operation Snowman https://goo.gl/x1v7mT suroot.com 58.64.143.244 effers.com 118.99.60.142 58.64.200.178 58.64.200.179 103.20.192.4 58.64.199.22 58.64.199.25 180.150.228.102 111.118.21.105 me.scieron.com cht.blankchair.com ali.blankchair.com dll.freshdns.org rt.blankchair.com book.flnet.org # Sofacy report Dec 2015 https://goo.gl/WSvEM8 drivres-update.info intelnetservice.com intelsupport.net softupdates.info # Mofang report by FoxIT https://goo.gl/t3uUTG video.today-nytimes.com api.officeonlinetool.com ie.update-windows-microsoft.com travel.tripmans.com dns.undpus.com secure2.sophosrv.com update.nfkllyuisyahooapis.com www.go-gga.com images.defexpoindia14.com update.micrdsoft.com support.f--secure.com store.outlook-microsoft.net b.support.outlook-microsoft.net logon.had-one-job.com www.avgfree.us mail.upgoogle.com wbmail.city-library.com library.cpgcorp.org 103.229.124.1 103.39.78.131 107.191.61.105 112.213.117.52 116.251.210.77 116.251.216.165 116.251.216.227 116.251.216.72 116.251.219.142 117.17.10.10 151.236.14.53 176.31.220.160 178.209.51.164 178.209.52.72 192.157.229.164 198.98.103.7 210.245.85.83 23.89.200.128 23.89.201.173 38.109.190.55 49.213.18.15 50.117.47.66 50.117.47.67 61.250.92.79 # Project Sauron https://goo.gl/eFoP4A 185.78.64.121 rapidcomments.com 81.4.108.168 bikessport.com 178.211.40.117 176.9.242.188 www.myhomemusic.com flowershop22.110mb.com wildhorses.awardspace.info 217.160.176.157 5.196.206.166 # Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads https://goo.gl/OOB3mH hackqz.f3322.org 120.209.40.157 bj6po.a1free9bird.com # Black Oasis IOC https://goo.gl/jhJWRp 89.45.67.107 # Sofacy activity https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ cdnverify.net ``` -------------------------------- ### APT10 C2 Malicious Domains List (JSON) Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This JSON array provides a current list of Command and Control (C2) domains linked to the APT10 advanced persistent threat group. Security teams can integrate this data into firewalls, SIEM systems, or threat intelligence platforms to enhance detection and prevention capabilities. The list is derived from AlienVault OTX and should be periodically refreshed as threat actors frequently update their infrastructure. ```JSON [ "acsocietyy.com", "anvprn.com", "anycal1.com", "appeal.ml", "belowto.com", "bridgeluxlightmadness.com", "catholicmmb.com", "ccfchrist.com", "chibashiri.com", "childrenstow.com", "ckusshani.com", "cloud-kingl.com", "cloud-maste.com", "companieshousesearch.com", "duosay.com", "emyta.com", "essashi.com", "fastmail2.com", "geetkculture.net", "gmpcw.com", "goodsampjp.com", "googlemeail.com", "gostudymbaa.com", "gotourisma.com", "gt4study.com", "gtsofta.com", "hg8fmv.racing", "hkhzhz.com", "hotma11.com", "hotma11.net", "hotmai.info", "icfeds.cf", "ijica.in", "incloud-obert.com", "innov-tec.com.ua", "ixrayeye.com", "jica-go-jp.bike", "jica-go-jp.biz", "jimin-jp.biz", "jimintokoy.com", "jmuroran.com", "jxsuyuisyahooapis.com", "kimospace.com", "lianhuaxinwen.com", "mailcarriage.co.uk", "mailserever.com", "mailvserver.com", "meltegorniesto.com", "microhotmail.com", "microsoften.com", "missbc.ca", "mofa-go-jp.com", "nokia1umia.com", "oipbl.com", "osaka-jpgo.com", "osce-press.org", "poulsenv.com", "radiorig.com", "salvaiona.com", "sapporot.com", "scholz-versand.com", "siteinit.info", "skypecommunications.net", "stevenlf.com", "thinkofnews.com", "tokyo-gojp.com", "tor-projects.org", "ubuntusofta.com", "unhamj.com", "urearapetsu.com", "veryhuai.info", "vscue.com", "wdsupdates.com", "woyaofanwen.com", "wthelpdesk.com", "xsince.tk", "yah000rg.com", "yahooadmin.net", "yahoorigist.com", "zafronecromien.com", "zccw.cc", "zhousafe.com", "002562066559681.r3u8.com", "031168053846049.r3u8.com", "0625.have8000.com", "1.gadskysun.com", "11.usyahooapis.com", "19518473326.r3u8.com", "1960445709311199.r3u8.com", "1j.www1.biz", "1z.itsaol.com", "2014.zzux.com", "202017845.r3u8.com", "2139465544784.r3u8.com", "2789203959848958.r3u8.com", "3q.wubangta.info", "3q.wubangtu.info", "5590428449750026.r3u8.com", "5q.niushenghuo.info", "6r.suibian2010.info", "a.wubangtu.info", "a1.suibian2010.info", "ab.4pu.com", "abc.wikaba.com", "abcd100621.3322.org", "abcd120719.6600.org", "abcd120807.3322.org", "acc.emailfound.info", "acc.lehigtapp.com", "ad.getfond.info", "ad.webbooting.com", "additional.sexidude.com", "af.zyns.com", "afc.https443.org", "ako.ddns.us", "algorithm.ddnsgeek.com", "amos.2288.org", "amxil.opmuert.org", "androidmusicapp.onmypc.us", "announcements.toythieves.com", "aotuo.9966.org", "apec.qtsofta.com", "app.lehigtapp.com", "apple.cmdnetview.com", "apple.defensewar.org", "apple.ikwb.com", "appledownload.ourhobby.com", "appleimages.itemdb.com", "appleimages.longmusic.com", "applelib120102.9966.org", "applemirror.organiccrap.com", "applemirror.squirly.info", "applemusic.isasecret.com", "applemusic.itemdb.com", "applemusic.wikaba.com", "applemusic.xxuz.com", "applemusic.zzux.com", "apples.sytes.net", "appleupdate.itemdb.com", "area.wthelpdesk.com", "army.xxuz.com", "art.p6p6.net", "asfzx.x24hr.com", "av.ddns.us", "availab.wikaba.com", "availability.justdied.com", "ba.my03.com", "baby.macforlinux.net", "baby.myie12.com", "baby.usmirocomney.net", "babyprintf.2288.org", "back.jungleheart.com", "back.mofa.dynamic-dns.net", "bak.have8000.com", "bak.ignorelist.com", "bak.un.dnsrd.com", "balance1.wikaba.com", "balk.n7go.com", "banana.cmdnetview.com", "barrybaker.3322.org", "barrybaker.6600.org", "bbs.jungleheart.com", "be.mrslove.com", "be.yourtrap.com", "bethel.webhop.net", "bexm.cleansite.biz", "bezu.itemdb.com", "bk56.twilightparadox.com", "blaaaaaaaaaaaa.windowsupdate.3-a.net", "blitzmediaplayer02.blitzmediaplayer.com", "blog.defensewar.org", "bluecoat.isasecret.com", "brand.fartit.com", "bulletproof.squirly.info", "cao.p6p6.net", "cata.qtsofta.com", "cc.dynamicdns.co.uk", "ccupdatedata.authorizeddns.net", "cd.usyahooapis.com", "cdaets-my.sharepoint.com", "cdn.incloud-go.com", "cdn.sanecat.com", "center.shenajou.com", "cgei493860.r3u8.com", "cia.ezua.com", "cia.toh.info", "ciaoci.chickenkiller.com", "civilwar123.authorizeddns.org", "civilwar520.onmypc.org", "cloudns.8800.org", "club.personanddog.info", "cms.sindeali.com", "cnnews.mylflv.com", "cnnews.mylftv.com", "commissioner.shenajou.com", "commons.onedumb.com", "contactus.myddns.com", "contactus.onmypc.us", "contract.4mydomain.com", "contractus.qpoe.com", "contractus.zzux.com", "coreck.suayay.com", "cpu.4pu.com", "cs.lflink.com", "ctdl.windowsupdate.itsaol.com", "ctdl.windowsupdate.nsatcdns.com", "ctldl.appledownload.ourhobby.com", "ctldl.applemusic.itemdb.com", "ctldl.itunesmusic.jkub.com", "ctldl.microsoftmusic.onedumb.com", "ctldl.microsoftupdate.qhigh.com", "ctldl.windowsupdate.authorizeddns.org", "ctldl.windowsupdate.authorizeddns.us", "ctldl.windowsupdate.dnset.com", "ctldl.windowsupdate.esmtp.biz", "ctldl.windowsupdate.ezua.com", "ctldl.windowsupdate.fartit.com", "ctldl.windowsupdate.gettrials.com", "ctldl.windowsupdate.itsaol.com", "ctldl.windowsupdate.lflinkup.com", "ctldl.windowsupdate.mrface.com", "ctldl.windowsupdate.nsatcdns.com", "ctldl.windowsupdate.organiccrap.com", "ctldl.windowsupdate.x24hr.com", "cvnx.zyns.com", "daddy.gostudyantivirus.com", "dcc.jimingroup.com", "dd.ddns.us", "de.onmypc.info", "dear.loveddos.com", "dec.seyesb.acmetoy.com", "dedydns.ns01.us", "department.shenajou.com", "desktopweatheralerts02.desktopweatheralerts00.desktopweatheralerts.com", "details.squirly.info", "development.shenajou.com", "devilcase.acmetoy.com", "dfgwerzc.3322.org", "dick.ccfchrist.com", "digsby.ourhobby.com", "disruptive.https443.net", "dlmix.ourdvs.com", "dns.snakesearch.info", "dnspoddwg.authorizeddns.org", "do.ddns.ms", "document.methoder.com", "document.shenajou.com", "domainnow.yourtrap.com", "download.applemusic.itemdb.com", "download.microsoftmusic.onedumb.com", "download.windowsupdate.authorizeddns.org", "download.windowsupdate.dedgesuite.net" ] ``` -------------------------------- ### Powersploit Tool Indicator Source: https://github.com/neo23x0/signature-base/blob/master/iocs/keywords.txt A keyword identifying the Powersploit framework, a collection of PowerShell modules for post-exploitation. Its detection suggests the use of advanced PowerShell-based attack techniques. ```plaintext Powersploit ``` -------------------------------- ### Suspicious Javascript WSH Command Source: https://github.com/neo23x0/signature-base/blob/master/iocs/keywords.txt A command-line invocation of wscript.exe executing JavaScript, often indicative of malicious script execution. This pattern is frequently used by attackers to run scripts without displaying a user interface. Refer to http://goo.gl/6HRCbk for more details. ```plaintext wscript.exe /b /nologo /E:javascript ``` -------------------------------- ### Identify Windows At Job Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies Windows At Job files. It consists of the hexadecimal byte sequence 'FF FE 3C 00 3F 00 78 00 6D 00 6C' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal FF FE 3C 00 3F 00 78 00 6D 00 6C ``` -------------------------------- ### Password Dumper Keywords Source: https://github.com/neo23x0/signature-base/blob/master/iocs/keywords.txt Keywords associated with password dumping tools, often used to extract credentials from memory. These strings are frequently found in process memory or logs when such tools are active. ```plaintext WCESERVICE ``` ```plaintext WCE_SERVICE ``` ```plaintext WCE SERVICE ``` -------------------------------- ### Java Deserialization Exploit Tool Indicator Source: https://github.com/neo23x0/signature-base/blob/master/iocs/keywords.txt A keyword indicating the use of ysoserial, a tool for generating payloads for Java deserialization vulnerabilities. Its presence can suggest attempts to exploit Java applications. ```plaintext ysoserial-0. ``` -------------------------------- ### Metasploit PsExec Command Source: https://github.com/neo23x0/signature-base/blob/master/iocs/keywords.txt A suspicious command pattern often used by Metasploit's PsExec module for remote command execution. This specific string indicates an attempt to execute a command via the Windows command interpreter. ```plaintext %COMSPEC% /C start %COMSPEC% /C \\WINDOWS\\Temp ``` -------------------------------- ### NOBELIUM IOCs from CERT-FR Alert Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This compilation includes Indicators of Compromise (IOCs) related to the NOBELIUM campaign, published by CERT-FR (CERTFR-2021-CTI-011). These domains and IP addresses are vital for identifying and mitigating potential compromises by the NOBELIUM group. Organizations should use these IOCs for proactive threat hunting and blocking. ```IOCs 139.99.167.177 185.158.250.239 185.243.215.198 188.68.250.182 190.183.61.30 192.99.221.77 194.135.81.18 195.206.181.169 31.42.177.114 37.120.247.135 37.59.225.51 45.135.167.27 45.179.89.37 45.80.148.166 51.254.241.158 51.38.85.225 51.89.50.153 54.38.137.218 79.143.87.166 81.17.30.46 83.171.237.173 91.234.254.144 alifemap.com businesssalaries.com cbdnewsandreviews.net celebsinformation.com cityloss.com dailydews.com doggroomingnews.com enpport.com giftbox4u.com hanproud.com ideasofbusiness.com myexpertforum.com newminigolf.com newstepsco.com rchosts.com stockmarketon.com stonecrestnews.com tacomanewspaper.com teachingdrive.com theyardservice.com trendignews.com worldhomeoutlet.com ``` -------------------------------- ### YARA External Variable Handling in Signature-Base Source: https://github.com/neo23x0/signature-base/blob/master/README.md This section explains how YARA rules in Signature-Base utilize external variables, which may cause 'undefined identifier' errors when used outside of LOKI or THOR Lite. It lists specific YARA files that contain these external variables, advising users to remove them if encountering errors. ```YARA ./yara/generic_anomalies.yar ./yara/general_cloaking.yar ./yara/gen_webshells_ext_vars.yar ./yara/thor_inverse_matches.yar ./yara/yara_mixed_ext_vars.yar ./yara/configured_vulns_ext_vars.yar ./yara/gen_fake_amsi_dll.yar ./yara/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar ./yara/yara-rules_vuln_drivers_strict_renamed.yar ``` -------------------------------- ### UNC4736 / APT43 C2 Domains from Mandiant Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This section provides Command and Control (C2) domains identified by Mandiant as being associated with UNC4736, also known as APT43. These domains are critical for detecting and blocking communications with the threat actor's infrastructure. Organizations should prioritize blocking these indicators to enhance their defensive posture. ```IOCs curvefinances.com pbxphonenetwork.com journalide.org nxmnv.site msedgepackageinfo.com apollo-crypto.org.shilaerc20.com ``` -------------------------------- ### Identify VMDK Files by Hexadecimal Signature (Alternative 1) Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies VMDK (Virtual Machine Disk) files. It consists of the hexadecimal byte sequence '43 4F 57 44' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 43 4F 57 44 ``` -------------------------------- ### Papercut Exploitation IOCs (CVE-2023-27351, CVE-2023-27350) Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This list contains Indicators of Compromise (IOCs) associated with the exploitation of critical vulnerabilities in Papercut Print Management Software (CVE-2023-27351 and CVE-2023-27350). These domains are known to be used by attackers in the wild. Organizations should block these domains to prevent compromise. ```Domain upd488.windowservicecemter.com ``` ```Domain anydeskupdate.com ``` ```Domain anydeskupdates.com ``` ```Domain netviewremote.com ``` ```Domain updateservicecenter.com ``` ```Domain windowcsupdates.com ``` ```Domain windowservicecentar.com ``` ```Domain windowservicecenter.com ``` ```Domain winserverupdates.com ``` -------------------------------- ### Identify Known Monero (XMR) Mining Pools Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This list comprises common Monero (XMR) cryptocurrency mining pool domains. While not inherently malicious, connections to these pools from unauthorized systems within an enterprise network can indicate cryptojacking or unauthorized resource usage. Monitoring and blocking these connections can help prevent illicit cryptocurrency mining activities. This list includes various regional and general pools. ```Plaintext pool.minexmr.com fr.minexmr.com de.minexmr.com sg.minexmr.com ca.minexmr.com us-west.minexmr.com pool.supportxmr.com mine.c3pool.com xmr-eu1.nanopool.org xmr-eu2.nanopool.org xmr-us-east1.nanopool.org xmr-us-west1.nanopool.org xmr-asia1.nanopool.org xmr-jp1.nanopool.org xmr-au1.nanopool.org xmr.2miners.com xmr.hashcity.org xmr.f2pool.com xmrpool.eu pool.hashvault.pro ``` -------------------------------- ### Identify Job Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies Job Files. It consists of the hexadecimal byte sequence '01 06 01 00' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 01 06 01 00 ``` -------------------------------- ### Identify VMDK Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies VMDK (Virtual Machine Disk) files. It consists of the hexadecimal byte sequence '23 20 44 69 73 6B 20 44' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 23 20 44 69 73 6B 20 44 ``` -------------------------------- ### Identify LIBPCAP Files by Hexadecimal Signature (Little Endian) Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies LIBPCAP capture files (Little Endian). It consists of the hexadecimal byte sequence 'A1 B2 CD 34' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal A1 B2 CD 34 ``` -------------------------------- ### Block NOBELIUM APT C2 Domains and IPs Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This snippet contains Command and Control (C2) domains and IP addresses linked to the NOBELIUM APT group, known for the SolarWinds supply chain attack. These indicators are part of NOBELIUM's early-stage toolset, as detailed by Microsoft Security. Organizations can use this list to detect and prevent communication with NOBELIUM's infrastructure, enhancing their defense against this sophisticated threat actor. ```Plaintext 74d6b7b2.app.giftbox4u.com aimsecurity.net cdn.theyardservice.com cdnappservice.firebaseio.com cityloss.com content.pcmsar.net cross-checking.com dailydews.com dataplane.theyardservice.com doggroomingnews.com email.theyardservice.com emergencystreet.com enpport.com eventbrite-com-default-rtdb.firebaseio.com financialmarket.org giftbox4u.com hanproud.com holescontracting.com humanitarian-forum-default-rtdb.firebaseio.com newsplacec.com newstepsco.com pcmsar.net security-updater-default-rtdb.firebaseio.com smtp2.theyardservice.com static.theyardservice.com stockmarketon.com stsnews.com supportcdn-default-rtdb.firebaseio.com tacomanewspaper.com techiefly.com theadminforum.com theyardservice.com trendignews.com usaid.theyardservice.com worldhomeoutlet.com 139.99.167.177 185.158.250.239 195.206.181.169 37.120.247.135 45.135.167.27 51.254.241.158 51.38.85.225 ``` -------------------------------- ### Identify JAR Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies JAR (Java Archive) files. It consists of the hexadecimal byte sequence '5F 27 A8 89' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 5F 27 A8 89 ``` -------------------------------- ### Identify LIBPCAP Files by Hexadecimal Signature (Big Endian) Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies LIBPCAP capture files (Big Endian). It consists of the hexadecimal byte sequence 'A1 B2 C3 D4' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal A1 B2 C3 D4 ``` -------------------------------- ### perfctl Malware IOCs for Linux Servers Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This list contains Indicators of Compromise (IOCs) associated with the perfctl stealthy malware, which targets Linux servers. It includes IP addresses and domains used by the malware. Security teams should use these IOCs for detection and prevention. ```IPv4 211.234.111.116 ``` ```IPv4 46.101.139.173 ``` ```IPv4 104.183.100.189 ``` ```IPv4 198.211.126.180 ``` ```Domain bitping.com ``` ```Domain earn.fm ``` ```Domain speedshare.app ``` ```Domain repocket.com ``` -------------------------------- ### Identify SYS Keyboard Driver Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies SYS Keyboard Driver files. It consists of the hexadecimal byte sequence 'FF 4B 45 59 42 20 20 20' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal FF 4B 45 59 42 20 20 20 ``` -------------------------------- ### MOVEit Transfer Exploitation C2 IOCs Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This list provides Command and Control (C2) Indicators of Compromise (IOCs) related to the critical vulnerability in MOVEit Transfer software (CVE-2023-34362, implied by date). These IPs and domains are associated with malicious activity. Defenders should monitor and block traffic to these indicators. ```IPv4 198.27.75.110 ``` ```IPv4 209.222.103.170 ``` ```IPv4 84.234.96.104 ``` ```IPv4 138.197.152.201 ``` ```IPv4 209.97.137.33 ``` ```IPv4 148.113.152.144 ``` ```IPv4 89.39.105.108 ``` ```IPv4 5.252.23.116 ``` ```IPv4 5.252.25.88 ``` ```IPv4 198.12.76.214 ``` ```Domain dojustit.mooo.com ``` -------------------------------- ### Identify EVT Event Viewer Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies EVT Event Viewer Files. It consists of the hexadecimal byte sequence '30 00 00 00 4C 66 4C 65' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 30 00 00 00 4C 66 4C 65 ``` -------------------------------- ### Lockbit Citrixbleed Exploitation IOCs Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt These are Indicators of Compromise (IOCs) linked to Lockbit ransomware's exploitation of Citrixbleed (CVE-2023-4966). The list includes IP addresses and domains used in attacks. Organizations should implement blocks and detection rules for these indicators. ```IPv4 193.201.9.224 ``` ```IPv4 62.233.50.25 ``` ```IPv4 185.229.191.41 ``` ```IPv4 81.19.135.219 ``` ```Domain adobe-us-updatefiles.digital ``` ```IPv4 172.67.129.176 ``` ```IPv4 104.21.1.180 ``` ```IPv4 81.19.135.220 ``` ```IPv4 81.19.135.226 ``` ```IPv4 168.100.9.137 ``` ```IPv4 206.188.197.22 ``` ```IPv4 141.98.9.137 ``` -------------------------------- ### Detect Lazarus Group C2 Domains (Security Researchers Campaign) Source: https://github.com/neo23x0/signature-base/blob/master/iocs/c2-iocs.txt This list provides domains used by the Lazarus Group in a campaign specifically targeting security researchers. These domains likely serve as C2 infrastructure or phishing sites designed to compromise researchers' systems. The details are based on a Google Threat Analysis Group blog post. Implementing blocks for these domains can mitigate risks from this specific Lazarus campaign. ```Plaintext angeldonationblog.com codevexillium.org investbooking.de krakenfolio.com opsonew3org.sg transferwiser.io transplugin.io ``` -------------------------------- ### Identify EVT Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies EVT (Windows Event Log) files. It consists of the hexadecimal byte sequence '30 00 00 00 4C 66 4C 65' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 30 00 00 00 4C 66 4C 65 ``` -------------------------------- ### Identify PHP Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies PHP (Hypertext Preprocessor) script files. It consists of the hexadecimal byte sequence '3C 3F 70 68 70' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 3C 3F 70 68 70 ``` -------------------------------- ### Identify SWF Files by Hexadecimal Signature (ZWS) Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies SWF (Small Web Format) files, specifically those compressed with ZWS. It consists of the hexadecimal byte sequence '5A 57 53' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 5A 57 53 ``` -------------------------------- ### Identify 7Zip Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies 7Zip compressed files. It consists of the hexadecimal byte sequence '37 7A BC AF 27 1C' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 37 7A BC AF 27 1C ``` -------------------------------- ### Identify PKSFX Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies PKSFX (PKZIP Self-Extractor) files. It consists of the hexadecimal byte sequence '50 4B 53 70 58' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 50 4B 53 70 58 ``` -------------------------------- ### Identify PKZIP Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies PKZIP archive files. It consists of the hexadecimal byte sequence '50 4B 05 06' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 50 4B 05 06 ``` -------------------------------- ### Identify GZIP Files by Hexadecimal Signature Source: https://github.com/neo23x0/signature-base/blob/master/misc/file-type-signatures.txt This signature identifies GZIP compressed files. It consists of the hexadecimal byte sequence '1F 8B 08' found at the beginning of the file. These signatures are crucial for file type identification and forensic analysis. ```Hexadecimal 1F 8B 08 ```