kevross33

I noticed it is similar to the signature prevents_safeboot aside from that signature is a delete of the key where as this one is a modify. I have been testing...

Hi, I can't find a malware sample again I am sure I have seen and noted in the past but you can trigger this functionality with MD5 d21a98b6f55d6e6bf6d4d6357e5028f4 which is...

It doesn't (21a0b617431850a9ea2698515c277cbd95de4e59c493d0d8f194f3808eb16354 Instructions.iso). While most injection techniques are covered I sometimes am finding they don't fire on these behaviours potentially because of how it is being done instead of...

Will just be an omission on my part and can be added. In terms of the wider conversation the CAPE sigs for injection still very useful for identifying source/target injection...

Hi, No it didn't when I was analysing the sample (sorry because it never fired I didn't realise there was one there already that I could have looked to add...

I have made the suggested changes now as well as add in extracting the executed command for the alert. Regards, Kevin

Thanks for the pointer. I will get this sorted out next week.

Oh thanks for the tip. I will make these changes On 5 May 2017 6:05 p.m., "KillerInstinct" wrote: > If performance is your hold-back then just combine the regexes. RE2...

Appears to currently be ok in cases where silverlight being exploited

Hi, Do you know how frequently https://fsrm.experiant.ca/api/v1/get is updated with new indicators? It is possible and would remove some of the manual work if it is maintained although it doesn't...