Convert Figma logo to code with AI

eset logomalware-ioc

Indicators of Compromises (IOC) of our various investigations

1,602
261
1,602
0
View on GitHub

Top Related Projects

MISP's avatar

MISP

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

Neo23x0's avatar

signature-base

2,433

YARA signature and IOC database for my scanners and tools

CyberMonitor's avatar

APT_CyberCriminal_Campagin_Collections

3,636

APT & CyberCriminal Campaign Collection

mandiant's avatar

red_team_tool_countermeasures

2,642

Quick Overview

The eset/malware-ioc repository is a collection of Indicators of Compromise (IoCs) related to various malware families and campaigns detected by ESET researchers. It serves as a valuable resource for cybersecurity professionals, providing up-to-date information on malicious activities and helping organizations enhance their threat detection capabilities.

Pros

  • Regularly updated with new IoCs from recent malware campaigns
  • Comprehensive coverage of various malware families and threat actors
  • Structured data format (YAML) for easy parsing and integration
  • Maintained by a reputable cybersecurity company (ESET)

Cons

  • Limited contextual information for some IoCs
  • Requires manual monitoring for updates
  • May include false positives or outdated indicators
  • Lacks automated tools for easy integration into security systems

Getting Started

To use the IoCs from this repository:

  1. Clone the repository:

    git clone https://github.com/eset/malware-ioc.git

  2. Navigate to the specific malware family or campaign folder.

  3. Use the YAML files to extract IoCs for your security tools or threat intelligence platforms.

  4. Regularly pull updates from the repository to stay current with the latest IoCs:

    git pull origin main

  5. Consider implementing a script to automate the process of fetching and parsing the IoCs for your specific use case.

Competitor Comparisons

MISP logo

MISP

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

Pros of MISP

  • More comprehensive threat intelligence platform with extensive features
  • Active community and regular updates
  • Supports various data formats and integrations with other security tools

Cons of MISP

  • More complex setup and maintenance
  • Steeper learning curve for new users
  • Requires more resources to run effectively

Code Comparison

MISP (Python):

from pymisp import PyMISP
misp = PyMISP('https://misp.example.com', 'YOUR_API_KEY')
event = misp.new_event(info='Malware IOCs', distribution=0, threat_level_id=2, analysis=2)
misp.add_ioc(event, 'domain', 'malicious.com', comment='C2 server')

malware-ioc (YAML):

- id: malicious_domain
  type: domain
  value: malicious.com
  description: C2 server

MISP offers a more programmatic approach with its Python library, allowing for dynamic creation and manipulation of threat intelligence data. The malware-ioc repository uses a simpler YAML format for static IOC storage, which is easier to read but less flexible for complex operations.

MISP provides a full-featured platform for threat intelligence sharing and analysis, while malware-ioc focuses on providing a straightforward repository of IOCs. MISP is better suited for organizations requiring advanced threat intelligence capabilities, whereas malware-ioc is more appropriate for simpler IOC sharing and consumption.

Neo23x0 logo

signature-base

2,433

YARA signature and IOC database for my scanners and tools

Pros of signature-base

  • More comprehensive and diverse set of signatures, covering a wider range of threats
  • Regular updates and active community contributions
  • Includes YARA rules, which are more flexible and powerful for threat detection

Cons of signature-base

  • Larger repository size, potentially requiring more storage and processing power
  • May include more false positives due to broader coverage
  • Steeper learning curve for users unfamiliar with YARA rules

Code Comparison

malware-ioc:

{
    "Indicators": [
        {
            "Type": "SHA1",
            "Value": "1234567890abcdef1234567890abcdef12345678"
        }
    ]
}

signature-base:

rule APT_MAL_GENERIC {
    meta:
        description = "Detects generic APT malware"
    strings:
        $s1 = "C:\\Windows\\System32\\cmd.exe" wide
    condition:
        uint16(0) == 0x5A4D and $s1
}

The malware-ioc repository uses simple JSON format for indicators, while signature-base employs more complex YARA rules for threat detection. This difference reflects the broader scope and flexibility of signature-base, but also its increased complexity compared to malware-ioc.

CyberMonitor logo

APT_CyberCriminal_Campagin_Collections

3,636

APT & CyberCriminal Campaign Collection

Pros of APT_CyberCriminal_Campagin_Collections

  • Broader scope, covering various APT groups and cybercriminal campaigns
  • More comprehensive collection of IOCs and related information
  • Regular updates and contributions from the community

Cons of APT_CyberCriminal_Campagin_Collections

  • Less structured organization compared to malware-ioc
  • May contain outdated or less reliable information due to its collaborative nature
  • Potentially overwhelming amount of data for newcomers

Code Comparison

malware-ioc:

- md5: 0a209ac0de4ac033f31d6ba9191a8f7a
  sha1: 7bea1f4bd1c988d9092fb56c535f0bfaed62287d
  sha256: 247b2a9fcba6e9ec29ed818948939702ee9f28a7

APT_CyberCriminal_Campagin_Collections:

APT28
├── 2019-03-01
│   └── ESET_Turla_Mosquito.csv
├── 2019-05-22
│   └── ESET_Turla_LightNeuron.csv
└── README.md

The malware-ioc repository focuses on structured YAML files with specific IOCs, while APT_CyberCriminal_Campagin_Collections uses a directory structure to organize information by APT group and date, with various file formats for IOCs and related data.

mandiant logo

red_team_tool_countermeasures

2,642

Pros of red_team_tool_countermeasures

  • More comprehensive coverage of red team tools and techniques
  • Includes detailed detection and mitigation strategies
  • Regularly updated with new threat intelligence

Cons of red_team_tool_countermeasures

  • Focuses primarily on red team tools, potentially missing other types of malware
  • May require more advanced knowledge to implement countermeasures effectively
  • Larger repository size, which could be overwhelming for some users

Code Comparison

malware-ioc:

- md5: 0a209ac0de4ac033f31d6ba9191a8f7a
  sha1: 84c82835a5d21bbcf75a61706d8ab549
  sha256: 2f54d3a5a3614708edd0e28dfba46f1e85daf9

red_team_tool_countermeasures:

- name: Cobalt Strike
  rules:
    - rule: Detect Cobalt Strike Beacon
      description: Identifies potential Cobalt Strike Beacon activity
      detection:
        selection:
          EventID: 3
          Image|endswith: '\rundll32.exe'

The malware-ioc repository focuses on providing simple IoCs, while red_team_tool_countermeasures offers more detailed detection rules and countermeasures for specific red team tools. The latter provides more context and actionable information for defenders, but may require more effort to implement and maintain.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Malware Indicators of Compromise

 .-------------.
(  E  S | E  T  )  R e s e a r c h
 `-------------'

Copyright (C) ESET 2014-2020

Here are indicators of compromise (IOCs) of our various investigations. We are doing this to help the broader security community fight malware wherever it might be.

If you would like to contribute improved versions please send us a pull request.

If you've found false positives give us the details in an issue report and we'll try to improve our IOCs.

These are licensed under the permissive BSD two-clause license. You are allowed to modify these and keep the changes to yourself even though it would be rude to do so.