├── Adobe_Flash_DRM_Use_After_Free.rule ├── AgentTesla.rule ├── Base64_Encoded_Powershell_Directives.rule ├── CVE_2018_4878_0day_ITW.rule ├── ClamAV_Emotet_String_Aggregrate.rule ├── Embedded_PE.rule ├── Excel_Hidden_Macro_Sheet.rule ├── Executable_Converted_to_MSI.rule ├── GlowSpark_Downloader.rule ├── Hex_Encoded_Powershell.rule ├── Hidden_Bee_Elements.rule ├── Hunting_Rule_ShikataGaNai.rule ├── IQY_File.rule ├── IQY_File_With_Pivot_Extension_URL.rule ├── IQY_File_With_Suspicious_URL.rule ├── LICENSE ├── MSIExec_Pivot.rule ├── Microsoft_Excel_Data_Connection.rule ├── Microsoft_Office_DDE_Command_Execution.rule ├── Microsoft_Office_Document_with_Embedded_Flash_File.rule ├── Microsoft_XLSX_with_Macrosheet.rule ├── NTLM_Credentials_Theft_via_PDF_Files.rule ├── PDF_Document_with_Embedded_IQY_File.rule ├── PE.rule ├── README.md ├── RTF_Byte_Nibble_Obfuscation.rule ├── Signed_Executable_With_Custom_Elliptic_Curve_Parameters.rule ├── Symbolic_Link_Files_DLL_Reference_Suspicious_Characteristics.rule ├── Symbolic_Link_Files_Macros_File_Characteristic.rule ├── labs.inquest.net ├── Worm Charming Over VTI.pdf ├── excel40_hunter.rule ├── macro_hunter.rule ├── maldoc_hunter.rule ├── malfash_hunter.rule ├── maljar_hunter.rule ├── malpdf_hunter.rule ├── miscellaneous.rule ├── pdfjs_hunter.rule ├── phish_hunter.rule ├── rtf_hunter.rule └── swf_hunter.rule └── novel_rule_generator.py /Adobe_Flash_DRM_Use_After_Free.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Adobe_Flash_DRM_Use_After_Free.rule -------------------------------------------------------------------------------- /AgentTesla.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/AgentTesla.rule -------------------------------------------------------------------------------- /Base64_Encoded_Powershell_Directives.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Base64_Encoded_Powershell_Directives.rule -------------------------------------------------------------------------------- /CVE_2018_4878_0day_ITW.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/CVE_2018_4878_0day_ITW.rule -------------------------------------------------------------------------------- /ClamAV_Emotet_String_Aggregrate.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/ClamAV_Emotet_String_Aggregrate.rule -------------------------------------------------------------------------------- /Embedded_PE.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Embedded_PE.rule -------------------------------------------------------------------------------- /Excel_Hidden_Macro_Sheet.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Excel_Hidden_Macro_Sheet.rule -------------------------------------------------------------------------------- /Executable_Converted_to_MSI.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Executable_Converted_to_MSI.rule -------------------------------------------------------------------------------- /GlowSpark_Downloader.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/GlowSpark_Downloader.rule -------------------------------------------------------------------------------- /Hex_Encoded_Powershell.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Hex_Encoded_Powershell.rule -------------------------------------------------------------------------------- /Hidden_Bee_Elements.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Hidden_Bee_Elements.rule -------------------------------------------------------------------------------- /Hunting_Rule_ShikataGaNai.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Hunting_Rule_ShikataGaNai.rule -------------------------------------------------------------------------------- /IQY_File.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/IQY_File.rule -------------------------------------------------------------------------------- /IQY_File_With_Pivot_Extension_URL.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/IQY_File_With_Pivot_Extension_URL.rule -------------------------------------------------------------------------------- /IQY_File_With_Suspicious_URL.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/IQY_File_With_Suspicious_URL.rule -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/LICENSE -------------------------------------------------------------------------------- /MSIExec_Pivot.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/MSIExec_Pivot.rule -------------------------------------------------------------------------------- /Microsoft_Excel_Data_Connection.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Microsoft_Excel_Data_Connection.rule -------------------------------------------------------------------------------- /Microsoft_Office_DDE_Command_Execution.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Microsoft_Office_DDE_Command_Execution.rule -------------------------------------------------------------------------------- /Microsoft_Office_Document_with_Embedded_Flash_File.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Microsoft_Office_Document_with_Embedded_Flash_File.rule -------------------------------------------------------------------------------- /Microsoft_XLSX_with_Macrosheet.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Microsoft_XLSX_with_Macrosheet.rule -------------------------------------------------------------------------------- /NTLM_Credentials_Theft_via_PDF_Files.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/NTLM_Credentials_Theft_via_PDF_Files.rule -------------------------------------------------------------------------------- /PDF_Document_with_Embedded_IQY_File.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/PDF_Document_with_Embedded_IQY_File.rule -------------------------------------------------------------------------------- /PE.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/PE.rule -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/README.md -------------------------------------------------------------------------------- /RTF_Byte_Nibble_Obfuscation.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/RTF_Byte_Nibble_Obfuscation.rule -------------------------------------------------------------------------------- /Signed_Executable_With_Custom_Elliptic_Curve_Parameters.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Signed_Executable_With_Custom_Elliptic_Curve_Parameters.rule -------------------------------------------------------------------------------- /Symbolic_Link_Files_DLL_Reference_Suspicious_Characteristics.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Symbolic_Link_Files_DLL_Reference_Suspicious_Characteristics.rule -------------------------------------------------------------------------------- /Symbolic_Link_Files_Macros_File_Characteristic.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/Symbolic_Link_Files_Macros_File_Characteristic.rule -------------------------------------------------------------------------------- /labs.inquest.net/Worm Charming Over VTI.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/Worm Charming Over VTI.pdf -------------------------------------------------------------------------------- /labs.inquest.net/excel40_hunter.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/excel40_hunter.rule -------------------------------------------------------------------------------- /labs.inquest.net/macro_hunter.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/macro_hunter.rule -------------------------------------------------------------------------------- /labs.inquest.net/maldoc_hunter.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/maldoc_hunter.rule -------------------------------------------------------------------------------- /labs.inquest.net/malfash_hunter.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/malfash_hunter.rule -------------------------------------------------------------------------------- /labs.inquest.net/maljar_hunter.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/maljar_hunter.rule -------------------------------------------------------------------------------- /labs.inquest.net/malpdf_hunter.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/malpdf_hunter.rule -------------------------------------------------------------------------------- /labs.inquest.net/miscellaneous.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/miscellaneous.rule -------------------------------------------------------------------------------- /labs.inquest.net/pdfjs_hunter.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/pdfjs_hunter.rule -------------------------------------------------------------------------------- /labs.inquest.net/phish_hunter.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/phish_hunter.rule -------------------------------------------------------------------------------- /labs.inquest.net/rtf_hunter.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/rtf_hunter.rule -------------------------------------------------------------------------------- /labs.inquest.net/swf_hunter.rule: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/labs.inquest.net/swf_hunter.rule -------------------------------------------------------------------------------- /novel_rule_generator.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InQuest/yara-rules/HEAD/novel_rule_generator.py --------------------------------------------------------------------------------