Giters

VinnyPrograming / malware-detection

Sharing indicators and methods for malware and malicious activity detection and prevention to help keep the Internet safe

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Threat Detection Indicators

This repository contains indicators and methods for detecting malware and other malicious online activity. Indicators are listed here when our investigative teams strongly believe that they are tied to malicious activity. We recommend that all indicators listed in this repository be reviewed before taking action within your organization.

Repository Structure

  • indicators - Holds indicators in CSV, TSV, STIX v1, and JSON formats
  • signatures - Hold detection signatures

Schema

  • indicator_type - References the type of indicator (e.g. android_package_name)
  • indicator_value - The actual indicator
  • comment - Any comments, very often the "name" of an app
  • ds - Datestamp (yyyy-mm-dd) related to this indicator. Very often the date of publication not the date of detection

Indicator Types

  • android_package_name - An Android package name (e.g. com.example.app) For STIX v1 this is placed within a File object in the "Filename" field
  • ios_app_id - An iOS App ID (e.g. 10000000001) For STIX v1 this is placed within a File object in the "Filename" field
  • domain_name - A domain name
  • md5 - An MD5 Hash
  • sha256 - A SHA256 Hash
  • ip - An IP Address
  • phishing_url - A URL associated with phishing
  • cib_url - A URL associated with Coordinated Inauthentic Behavior (CIB)
  • telegram_url - A URL to a Telegram Channel

Index File Format

The file index.json can be used to programatically consume our indicators. The file is JSON formatted and contains an array of JSON objects, one for each "entry" in this repository. All paths in this file are relative to the root of the repo. The schema is as follows:

{
	"id" : "id_of_the_entry",
	"added_ds" : "yyyy-mm-dd that this entry was added to the repo",
	"reported_ds" : "yyyy-mm-dd that this entry was first reported by Meta",
	"reference_urls" : ["Array of URLs where you can learn more"],
	"indicators" : {
		"csv_files" : ["paths to CSV files associated with this entry"],
		"json_files" : ["paths to JSON files associated with this entry"],
		"tsv_files" : ["paths to TSV files associated with this entry"],
		"stix1_files" : ["paths to XML STIX v1 files associated with this entry"],
		"stix2_files" : ["paths to JSON STIX v2 files associated with this entry"]
	},
	"signatures" : {
		"yara_files" : ["paths to YARA files associated with this entry"]
	}
}

FAQ

Why are you releasing this?

Please see https://about.fb.com/news/2022/10/protecting-people-from-malicious-account-compromise-apps/ to learn more

How were these detected?

Meta uses a wide variety of techniques to find and combat malware and malicious activity. Exact detection methods are generally not shared publicly.

How confident are you in these indicators?

We have high confidence in our indicators. We manually vet all indicators before they are published to this repository. There still remains a very low chance that an indicator may be a false positive, so we recommend users review the indicators before taking action.

How can I report an issue?

Open an Issue on Github and we'll look into it

How is this data licensed?

Under the MIT License (see LICENSE)

Index of Filenames

About

Sharing indicators and methods for malware and malicious activity detection and prevention to help keep the Internet safe

License:MIT License

Languages

Language:Python 51.4%Language:YARA 48.6%