├── wxs ├── french.awk └── count.awk ├── glesnewich ├── SUSP_LNK_Abnormal_CLSID_Not_MyComputer.yar ├── Testing_LNK_Module.yar ├── SUSP_Bloated_LNK.yar ├── SUSP_LNK_Contains_Padding.yar ├── SUSP_LNK_Embedded_WordDoc.yar ├── APT_RU_Turla_Tunnus_Dotnet_RC4_Meta.yar ├── MAL_GOLDBACKDOOR_LNK.yar ├── SUSP_DotNet_Method_Param.yar ├── SUSP_LNK_SmallScreenSize.yar ├── LICENSE.Detection.Rules.md └── SUSP_LNK_Network_CloudServices.yar ├── silas ├── MAL_PY_Dimorf.yara ├── misc_rules │ └── SUSP_MSF_script.yar ├── MAL_EXE_RoyalRansomware.yar ├── MAL_ELF_TorchTriton.yar ├── MAL_EXE_PrestigeRansomware.yar └── MAL_EXE_LockBit_v2.yar ├── bitsofbinary ├── APT42_CHAIRSMACK_PE_Metadata_Example_Rule.yar └── PE_Module_PDB_Rule_Examples.yar ├── shellcromancer ├── lang_zig.yar ├── tool_network_free_code.yar ├── elf_golf.yar └── tool_nimplant.yar ├── dan └── Stairwell_CobaltStrike_Stager_API_Hashing.yara └── ReadMe.md /wxs/french.awk: -------------------------------------------------------------------------------- 1 | #!/usr/bin/awk -f 2 | 3 | # Consolidate all YARA rule matches for a given file into a single line. 4 | # https://gist.github.com/wxsBSD/3e9452c3699bf68ff2e83a5d6a521801 5 | 6 | { 7 | if ($2 in files) { 8 | files[$2 ] = files[$2] "," $1 9 | } else { 10 | files[$2] = $1 11 | } 12 | } 13 | 14 | END { 15 | for (file in files) { 16 | print file "\t" files[file] 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /glesnewich/SUSP_LNK_Abnormal_CLSID_Not_MyComputer.yar: -------------------------------------------------------------------------------- 1 | rule SUSP_LNK_Abnormal_CLSID_Not_MyComputer 2 | { 3 | meta: 4 | author = "Greg Lesnewich" 5 | date = "2023-01-04" 6 | version = "1.0" 7 | hash = "120ca851663ef0ebef585d716c9e2ba67bd4870865160fec3b853156be1159c5" 8 | DaysofYARA = "4/100" 9 | 10 | strings: 11 | $clsid = {E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D} 12 | condition: 13 | uint32be(0x0) == 0x4C000000 and none of them 14 | } 15 | -------------------------------------------------------------------------------- /glesnewich/Testing_LNK_Module.yar: -------------------------------------------------------------------------------- 1 | import "lnk" 2 | 3 | rule SUSP_LNK_CommandLine_Padding 4 | { 5 | meta: 6 | author = "Greg Lesnewich" 7 | description = "Look for LNK files with space padded commandline args" 8 | date = "2023-01-05" 9 | version = "1.0" 10 | DaysofYARA = "5/100" 11 | 12 | condition: 13 | uint32be(0x0) == 0x4C000000 and 14 | lnk.command_line_arguments contains " \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 " 15 | } 16 | -------------------------------------------------------------------------------- /glesnewich/SUSP_Bloated_LNK.yar: -------------------------------------------------------------------------------- 1 | rule SUSP_Bloated_LNK 2 | { 3 | meta: 4 | author = "Greg Lesnewich" 5 | description = "check for LNK files with a size over 250KB - examples from Janicab (PDF) and GOLDBACKDOOR (Doc) and MustangPanda (HTML)" 6 | date = "2023-01-02" 7 | version = "1.0" 8 | hash = "120ca851663ef0ebef585d716c9e2ba67bd4870865160fec3b853156be1159c5" 9 | DaysofYARA = "2/100" 10 | 11 | condition: 12 | uint32be(0x0) == 0x4C000000 and 13 | filesize > 250KB 14 | } 15 | -------------------------------------------------------------------------------- /glesnewich/SUSP_LNK_Contains_Padding.yar: -------------------------------------------------------------------------------- 1 | rule SUSP_LNK_Contains_Padding 2 | { 3 | meta: 4 | author = "Greg Lesnewich" 5 | description = "Look for LNK files with space padded commandline args" 6 | date = "2023-01-05" 7 | version = "1.0" 8 | DaysofYARA = "5/100" 9 | 10 | strings: 11 | $padding = {20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 } 12 | condition: 13 | uint32be(0x0) == 0x4c000000 and $padding 14 | } 15 | -------------------------------------------------------------------------------- /silas/MAL_PY_Dimorf.yara: -------------------------------------------------------------------------------- 1 | rule MAL_PY_Dimorf 2 | { 3 | meta: 4 | author = "Silas Cutler" 5 | description = "Detection for Dimorf ransomeware" 6 | date = "2023-01-03" 7 | version = "1.0" 8 | ref = "https://github.com/Ort0x36/Dimorf" 9 | 10 | strings: 11 | $func01 = "def find_and_encrypt" 12 | $func02 = "def check_os" 13 | 14 | $comment01 = "checks if the user has permission on the file." 15 | 16 | $misc01 = "log_dimorf.log" 17 | $misc02 = ".dimorf" 18 | 19 | 20 | condition: 21 | all of them 22 | } 23 | -------------------------------------------------------------------------------- /wxs/count.awk: -------------------------------------------------------------------------------- 1 | #!/bin/awk -f 2 | 3 | # Count the number of times a string matches in YARA. 4 | # https://gist.github.com/wxsBSD/4ec929a0eb07d8e3feeccc49e0d9aa2a 5 | 6 | !/^0x/ { 7 | if (length(strings) > 0) { 8 | for (string in strings) { 9 | print string ": " strings[string]; 10 | } 11 | } 12 | delete strings 13 | print; 14 | } 15 | 16 | /^0x/ { 17 | split($1, fields, ":"); 18 | strings[fields[2]]++; 19 | } 20 | 21 | END { 22 | for (string in strings) { 23 | print string ": " strings[string]; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /glesnewich/SUSP_LNK_Embedded_WordDoc.yar: -------------------------------------------------------------------------------- 1 | rule SUSP_LNK_Embedded_WordDoc 2 | { 3 | meta: 4 | author = "Greg Lesnewich" 5 | description = "check for LNK files with indications of the Word program or an embedded doc" 6 | date = "2023-01-02" 7 | version = "1.0" 8 | hash = "120ca851663ef0ebef585d716c9e2ba67bd4870865160fec3b853156be1159c5" 9 | DaysofYARA = "2/100" 10 | 11 | strings: 12 | $doc_header = {D0 CF 11 E0 A1 B1 1A E1} 13 | $icon_loc = "C:\\Program Files\\Microsoft Office\\Office16\\WINWORD.exe" ascii wide 14 | condition: 15 | uint32be(0x0) == 0x4C000000 and 16 | filesize > 10KB and 17 | any of them 18 | } 19 | -------------------------------------------------------------------------------- /silas/misc_rules/SUSP_MSF_script.yar: -------------------------------------------------------------------------------- 1 | rule SUSP_MSF_script 2 | { 3 | meta: 4 | author = "Silas Cutler" 5 | description = "Experimental detection for Metasploit resource scripts" 6 | date = "2023-01-02" 7 | version = "1.0" 8 | ref = "https://docs.rapid7.com/metasploit/resource-scripts/" 9 | DaysofYARA = "2/100" 10 | 11 | strings: 12 | $ = "use multi/handler" nocase 13 | $ = "set payload " nocase 14 | $ = "set lhost " nocase 15 | $ = "set lport " nocase 16 | $ = "set rhost " nocase 17 | $ = "set rport " nocase 18 | $ = "exploit" nocase 19 | 20 | condition: 21 | 2 of them and 22 | for all offset in (0..(filesize-1)): ( uint8(offset) < 127) 23 | } 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /glesnewich/APT_RU_Turla_Tunnus_Dotnet_RC4_Meta.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | import "dotnet" 3 | 4 | rule APT_RU_TurlaDaddy_Tunnus_Dotnet_RC4_Meta 5 | { 6 | meta: 7 | author = "Greg Lesnewich" 8 | date = "2023-01-06" 9 | reference = "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" 10 | version = "1.0" 11 | hash = "0fc624aa9656a8bc21731bfc47fd7780da38a7e8ad7baf1529ccd70a5bb07852" 12 | DaysofYARA = "6/100" 13 | 14 | 15 | condition: 16 | for any classy in dotnet.classes: (classy.name == "RC4Encryption") or 17 | 18 | for any item in dotnet.classes: ( for any meths in item.methods: ( 19 | meths.name == "EncryptDecrypt" 20 | )) 21 | 22 | } 23 | -------------------------------------------------------------------------------- /bitsofbinary/APT42_CHAIRSMACK_PE_Metadata_Example_Rule.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | import "hash" 3 | 4 | rule APT42_CHAIRSMACK_PE_Metadata { 5 | meta: 6 | author = "BitsOfBinary" 7 | description = "Detects samples of CHAIRSMACK based on unique PE metadata (i.e. imphash and rich PE header hash)" 8 | reference = "https://mandiant.com/resources/blog/apt42-charms-cons-compromises" 9 | reference = "https://bitsofbinary.github.io/yara/2023/01/03/100daysofyara-day-3.html" 10 | hash = "a37a290863fe29b9812e819e4c5b047c44e7a7d7c40e33da6f5662e1957862ab" 11 | version = "1.0" 12 | date = "2023-01-03" 13 | DaysofYARA = "3/100" 14 | 15 | condition: 16 | pe.imphash() == "72f60d7f4ce22db4506547ad555ea0b1" or 17 | hash.md5(pe.rich_signature.clear_data) == "c0de41e45352714500771d43f0d8c4c3" 18 | } -------------------------------------------------------------------------------- /shellcromancer/lang_zig.yar: -------------------------------------------------------------------------------- 1 | rule lang_zig 2 | { 3 | meta: 4 | description = "Identify a Zig binary regardless of format (PE, Macho, ELF) or arch. Tested with regular and stripped binaries." 5 | author = "@shellcromancer" 6 | version = "1.0" 7 | last_modified = "2023.01.04" 8 | sample = "ae3beacdfaa311d48d9c776ddd1257a6aad2b0fe" // zig init-exe macOS 9 | 10 | strings: 11 | $zig = "zig" 12 | 13 | condition: 14 | ( 15 | int16(0) == 0x5a4d or // PE 16 | uint32(0) == 0x464c457f or // ELF 17 | uint32(0) == 0xfeedface or // Mach-O MH_MAGIC 18 | uint32(0) == 0xcefaedfe or // Mach-O MH_CIGAM 19 | uint32(0) == 0xfeedfacf or // Mach-O MH_MAGIC_64 20 | uint32(0) == 0xcffaedfe or // Mach-O MH_CIGAM_64 21 | uint32(0) == 0xcafebabe or // Mach-O FAT_MAGIC 22 | uint32(0) == 0xbebafeca // Mach-O FAT_CIGAM 23 | ) and 24 | #zig >= 4 25 | } 26 | -------------------------------------------------------------------------------- /silas/MAL_EXE_RoyalRansomware.yar: -------------------------------------------------------------------------------- 1 | rule MAL_EXE_RoyalRansomware 2 | { 3 | meta: 4 | author = "Silas Cutler" 5 | description = "Detection for Royal Ransomware seen Dec 2022" 6 | date = "2023-01-03" 7 | version = "1.0" 8 | hash = "a8384c9e3689eb72fa737b570dbb53b2c3d103c62d46747a96e1e1becf14dfea" 9 | DaysofYARA = "3/100" 10 | 11 | strings: 12 | $ext = ".royal_" wide 13 | $fname = "royal_dll.dll" 14 | $readme = "README.TXT" wide 15 | 16 | $cli_flag01 = "-networkonly" wide 17 | $cli_flag02 = "-localonly" wide 18 | 19 | $ransom_msg01 = "If you are reading this, it means that your system were hit by Royal ransomware." 20 | $ransom_msg02 = "Try Royal today and enter the new era of data security!" 21 | $onion_site = "http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion/" 22 | 23 | condition: 24 | uint16(0) == 0x5A4D and 25 | ( 26 | (5 of them) or 27 | ($onion_site and $ext) 28 | ) 29 | } 30 | -------------------------------------------------------------------------------- /shellcromancer/tool_network_free_code.yar: -------------------------------------------------------------------------------- 1 | rule tool_network_free_code 2 | { 3 | meta: 4 | description = "Identify executables with domains with free hosting of code." 5 | author = "@shellcromancer" 6 | version = "1.0" 7 | last_modified = "2023.01.05" 8 | 9 | strings: 10 | $cf_workers = ".workers.dev" xor 11 | $cf_pages = ".pages.dev" xor 12 | $vercel_app = ".vercel.app" xor 13 | $vercel_dev = ".vercel.dev" xor 14 | $vercel_now = ".now.sh" xor 15 | $deno = ".deno.dev" xor 16 | $fly = ".fly.dev" xor 17 | $deta = ".deta.dev" xor 18 | 19 | condition: 20 | ( 21 | int16(0) == 0x5a4d or // PE 22 | uint32(0) == 0x464c457f or // ELF 23 | uint32(0) == 0xfeedface or // Mach-O MH_MAGIC 24 | uint32(0) == 0xcefaedfe or // Mach-O MH_CIGAM 25 | uint32(0) == 0xfeedfacf or // Mach-O MH_MAGIC_64 26 | uint32(0) == 0xcffaedfe or // Mach-O MH_CIGAM_64 27 | uint32(0) == 0xcafebabe or // Mach-O FAT_MAGIC 28 | uint32(0) == 0xbebafeca // Mach-O FAT_CIGAM 29 | ) and 30 | any of them 31 | } 32 | -------------------------------------------------------------------------------- /shellcromancer/elf_golf.yar: -------------------------------------------------------------------------------- 1 | import "elf" 2 | 3 | rule elf_invalid_version { 4 | meta: 5 | desc = "Identify ELF file that has mangled header info." 6 | author = "@shellcromancer" 7 | version = "0.1" 8 | last_modified = "2023.01.01" 9 | reference = "https://n0.lol/ebm/1.html" 10 | reference = "https://tmpout.sh/1/1.html" 11 | hash = "05379bbf3f46e05d385bbd853d33a13e7e5d7d50" 12 | condition: 13 | ( 14 | uint32(0) == 0x464c457f 15 | and uint8(0x6) > 1 // ELF Version is greater value than in spec. 16 | ) 17 | } 18 | 19 | rule elf_early_entry { 20 | meta: 21 | desc = "Identify ELF file who's entrypoint is within the header." 22 | author = "@shellcromancer" 23 | version = "0.1" 24 | last_modified = "2023.01.02" 25 | reference = "https://n0.lol/ebm/1.html" 26 | reference = "https://tmpout.sh/1/1.html" 27 | hash = "05379bbf3f46e05d385bbd853d33a13e7e5d7d50" 28 | condition: 29 | ( 30 | uint32(0) == 0x464c457f and 31 | not defined elf.entry_point 32 | ) 33 | } -------------------------------------------------------------------------------- /glesnewich/MAL_GOLDBACKDOOR_LNK.yar: -------------------------------------------------------------------------------- 1 | rule MAL_GOLDBACKDOOR_LNK 2 | { 3 | meta: 4 | author = "Greg Lesnewich" 5 | date = "2023-01-02" 6 | version = "1.0" 7 | hash = "120ca851663ef0ebef585d716c9e2ba67bd4870865160fec3b853156be1159c5" 8 | reference = "https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf" 9 | DaysofYARA = "2/100" 10 | 11 | strings: 12 | $doc_header = {D0 CF 11 E0 A1 B1 1A E1} 13 | $doc_icon_loc = "C:\\Program Files\\Microsoft Office\\Office16\\WINWORD.exe" ascii wide 14 | $script_apionedrivecom_hex_enc_str = "6170692e6f6e6564726976652e636f6d" wide 15 | $script_kernel32dll_hex_enc_str = "6b65726e656c33322e646c6c" wide 16 | $script_GlobalAlloc_hex_enc_str = "476c6f62616c416c6c6f63" wide 17 | $script_VirtualProtect_hex_enc_str = "5669727475616c50726f74656374" wide 18 | $script_WriteByte_hex_enc_str = "577269746542797465" wide 19 | $script_CreateThread_hex_enc_str = "437265617465546872656164" wide 20 | condition: 21 | uint32be(0x0) == 0x4C000000 and 22 | 1 of ($doc*) and 23 | 2 of ($script*) 24 | } 25 | -------------------------------------------------------------------------------- /silas/MAL_ELF_TorchTriton.yar: -------------------------------------------------------------------------------- 1 | rule MAL_ELF_TorchTriton 2 | { 3 | meta: 4 | author = "Silas Cutler" 5 | description = "Detection for backdoor (TorchTriton) distributed with a nightly build of PyTorch" 6 | date = "2023-01-02" 7 | version = "1.0" 8 | hash = "2385b29489cd9e35f92c072780f903ae2e517ed422eae67246ae50a5cc738a0e" 9 | ref = "https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/" 10 | DaysofYARA = "2/100" 11 | 12 | strings: 13 | $error = "failed to send packet" 14 | $aes_key = "gIdk8tzrHLOM)mPY-R)QgG[;yRXYCZFU" 15 | $aes_iv = "?BVsNqL]S.Ni" 16 | 17 | // std::vector > splitIntoDomains(const string&, const string&, const string&) 18 | $func01 = "splitIntoDomains(" 19 | $func02 = "packageForTransport" 20 | $func03 = "gatherFiles" 21 | // void sendFile(const string&, const string&, int, int, const string&) 22 | $func04 = "void sendFile(" 23 | 24 | //enc Domain 25 | $domain = "&z-%`-(*" 26 | 27 | 28 | condition: 29 | uint32(0) == 0x464c457f and ( 30 | (all of ($aes_*)) or 31 | (all of ($func*) and $error) or 32 | ($domain and 2 of them) 33 | ) 34 | } 35 | -------------------------------------------------------------------------------- /bitsofbinary/PE_Module_PDB_Rule_Examples.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule Heuristic_PE_PDB_Self_Identifying_as_Malware { 4 | meta: 5 | author = "BitsOfBinary" 6 | description = "Detects files that identify themselves as malware" 7 | reference = "https://bitsofbinary.github.io/yara/2023/01/04/100daysofyara-day-4.html" 8 | version = "1.0" 9 | date = "2023-01-04" 10 | DaysofYARA = "4/100" 11 | 12 | condition: 13 | pe.pdb_path icontains "malware" 14 | } 15 | 16 | rule SessionManager_IIS_Backdoor_PDB_Path_Segments { 17 | meta: 18 | author = "BitsOfBinary" 19 | description = "Detects the SessionManager IIS backdoor based on some unique PDB path segments" 20 | reference = "https://securelist.com/the-sessionmanager-iis-backdoor/106868/" 21 | reference = "https://bitsofbinary.github.io/yara/2023/01/04/100daysofyara-day-4.html" 22 | version = "1.0" 23 | date = "2023-01-04" 24 | DaysofYARA = "4/100" 25 | 26 | condition: 27 | pe.pdb_path contains "\\GodLike\\" or 28 | pe.pdb_path matches /\\t\\t[0-9]\\/ or 29 | pe.pdb_path endswith "\\sessionmanagermodule.pdb" 30 | } -------------------------------------------------------------------------------- /silas/MAL_EXE_PrestigeRansomware.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | rule MAL_EXE_PrestigeRansomware 3 | { 4 | meta: 5 | author = "Silas Cutler" 6 | description = "Detection for Prestige Ransomware" 7 | date = "2023-01-04" 8 | version = "1.0" 9 | ref = "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" 10 | hash = "5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57" 11 | DaysofYARA = "4/100" 12 | 13 | strings: 14 | $ransom_email = "Prestige.ranusomeware@Proton.me" wide 15 | 16 | $ransom_message01 = "To decrypt all the data, you will need to purchase our decryption software." wide 17 | $ransom_message02 = "Contact us {}. In the letter, type your ID = {:X}." wide 18 | $ransom_message03 = "- Do not try to decrypt your data using third party software, it may cause permanent data loss." wide 19 | $ransom_message04 = "- Do not modify or rename encrypted files. You will lose them." wide 20 | 21 | $reg_ransom_note = "C:\\Windows\\System32\\reg.exe add HKCR\\enc\\shell\\open\\command /ve /t REG_SZ /d \"C:\\Windows\\Notepad.exe C:\\Users\\Public\\README\" /f" wide 22 | condition: 23 | uint16(0) == 0x5A4D and 24 | (2 of them or pe.imphash() == "a32bbc5df4195de63ea06feb46cd6b55") 25 | } 26 | -------------------------------------------------------------------------------- /glesnewich/SUSP_DotNet_Method_Param.yar: -------------------------------------------------------------------------------- 1 | import "dotnet" 2 | 3 | rule SUSP_DotNet_Method_Param_Payload 4 | { 5 | meta: 6 | author = "Greg Lesnewich" 7 | date = "2023-01-06" 8 | version = "1.0" 9 | DaysofYARA = "6/100" 10 | condition: 11 | for any item in dotnet.classes: ( 12 | for any methy in item.methods: ( 13 | for any param in methy.parameters: ( 14 | param.name icontains "payload" 15 | ) 16 | ) 17 | ) 18 | 19 | } 20 | 21 | 22 | rule SUSP_DotNet_Method_Param_Key 23 | { 24 | meta: 25 | author = "Greg Lesnewich" 26 | date = "2023-01-06" 27 | version = "1.0" 28 | DaysofYARA = "6/100" 29 | condition: 30 | for any item in dotnet.classes: ( 31 | for any methy in item.methods: ( 32 | for any param in methy.parameters: ( 33 | param.name icontains "key" 34 | ) 35 | ) 36 | ) 37 | 38 | } 39 | 40 | 41 | rule SUSP_DotNet_Method_Param_HTTP 42 | { 43 | meta: 44 | author = "Greg Lesnewich" 45 | date = "2023-01-06" 46 | version = "1.0" 47 | DaysofYARA = "6/100" 48 | 49 | 50 | condition: 51 | for any item in dotnet.classes: ( 52 | for any methy in item.methods: ( 53 | for any param in methy.parameters: ( 54 | param.name icontains "http" 55 | ) 56 | ) 57 | ) 58 | 59 | } 60 | -------------------------------------------------------------------------------- /dan/Stairwell_CobaltStrike_Stager_API_Hashing.yara: -------------------------------------------------------------------------------- 1 | rule Stairwell_CobaltStrike_Stager_API_Hashing 2 | { 3 | meta: 4 | author = "Daniel Mayer (daniel@stairwell.com)" 5 | description = "Example rule using multiline bytes and comments to annotate instructions. Detects the ror13 API hashing (ror13 is also used by metasploit) routine used by Cobalt Strike" 6 | hash_x64 = "61b4c29f349f4c5d377934490ca117f87c96b2817e74cea4b2019bea09a9f7fc" 7 | hash_x86 = "a6f71c9f0ebe8a236e60c6219ca8466c8a2dfbeedfe3fa26bf89b6fb745ee71d" 8 | version = "1.0" 9 | date = "2023-01-05" 10 | 11 | strings: 12 | $x64 = { 13 | // loc_2D: 14 | 48 31 C0 // xor rax, rax 15 | AC // lodsb 16 | 3C 61 // cmp al, 61h ; 'a' 17 | 7C 02 // jl short loc_37 18 | 2C 20 // sub al, 20h ; ' ' 19 | // loc_37 20 | 41 C1 C9 0D // ror r9d, 0Dh ; 13 21 | 41 01 C1 // add r9d, eax 22 | E2 ED // loop loc_2D 23 | } 24 | 25 | $x86 = { 26 | // loc_1E: 27 | 31 C0 // xor eax, eax 28 | AC // lodsb 29 | 3C 61 // cmp al, 61h ; 'a' 30 | 7C 02 // jl short loc_27 31 | 2C 20 // sub al, 20h ; ' ' 32 | // loc_27: 33 | C1 CF 0D // ror edi, 0Dh ; 13 34 | 01 C7 // add edi, eax 35 | E2 F0 // loop loc_1E 36 | } 37 | 38 | condition: 39 | any of them 40 | } 41 | -------------------------------------------------------------------------------- /glesnewich/SUSP_LNK_SmallScreenSize.yar: -------------------------------------------------------------------------------- 1 | rule SUSP_LNK_SmallScreenSize 2 | { 3 | meta: 4 | author = "Greg Lesnewich" 5 | description = "check for LNKs that have a screen buffer size and WindowSize dimensions of 1x1" 6 | date = "2023-01-01" 7 | version = "1.0" 8 | DaysofYARA = "1/100" 9 | 10 | strings: 11 | $dimensions = {02 00 00 A0 ?? 00 ?? ?? 01 00 01 00 01} 12 | // struct ConsoleDataBlock sConsoleDataBlock 13 | // uint32 Size 14 | // uint32 Signature 15 | // enum FillAttributes 16 | // enum PopupFillAttributes 17 | // uint16 ScreenBufferSizeX 18 | // uint16 ScreenBufferSizeY 19 | // uint16 WindowSizeX 20 | // uint16 WindowSizeY 21 | condition: 22 | uint32be(0x0) == 0x4c000000 and all of them 23 | } 24 | 25 | 26 | rule MAL_Janicab_LNK 27 | { 28 | meta: 29 | author = "Greg Lesnewich" 30 | description = "detect LNK files used in Janicab infection chain" 31 | date = "2023-01-01" 32 | version = "1.0" 33 | hash = "0c7e8427ee61672568983e51bf03e0bcf6f2e9c01d2524d82677b20264b23a3f" 34 | hash = "22ede766fba7551ad0b71ef568d0e5022378eadbdff55c4a02b42e63fcb3b17c" 35 | hash = "4920e6506ca557d486e6785cb5f7e4b0f4505709ffe8c30070909b040d3c3840" 36 | hash = "880607cc2da4c3213ea687dabd7707736a879cc5f2f1d4accf79821e4d24d870" 37 | hash = "f4610b65eba977b3d13eba5da0e38788a9e796a3e9775dd2b8e37b3085c2e1af" 38 | DaysofYARA = "1/100" 39 | 40 | strings: 41 | $j_pdf1 = "%PDF-1.5" ascii wide 42 | $j_cmd = "\\Windows\\System32\\cmd.exe" ascii wide 43 | $j_pdf_stream = "endstream" ascii wide 44 | $j_pdb_obj = "endobj" ascii wide 45 | $dimensions = {02 00 00 A0 ?? 00 ?? ?? 01 00 01 00 01} 46 | 47 | condition: 48 | uint32be(0x0) == 0x4C000000 and $dimensions and 2 of ($j_*) 49 | } 50 | -------------------------------------------------------------------------------- /ReadMe.md: -------------------------------------------------------------------------------- 1 | # 100 Days of YARA Part 2 - Electric Detectaloo 2 | 3 | Apologies in advance for the terrible naming, but welcome to 100 Days of YARA! This repository will act as the store for all YARA ideas created during this time. Any fun scripts, tools, or rules you write can be committed to this GitHub repository! For now, any associated blogging, walkthroughs, or other musing can be hosted elsewhere :) 4 | 5 | ## So what is all this any way? 6 | 7 | In short, #100DaysofYARA is place on the internet where malware analysts, detection engineers, and reversers share ideas for YARA rules, tips for rule creation, or methods of using YARA in unconventional ways. 8 | 9 | We'll create a new repository for each calendar year, but the structure can be pretty free-form! At some point there will be style and structural requirements for YARA rules submitted (tabs vs spaces, necessary metadata like author, date, things like that) but the general vibes are positive and uplifting so go wild with your most outlandish rules! 10 | 11 | It is not lost on me that we could just fork Florian Roth's repositories here and call it good on detection, but this event is about advancing your own YARA skills, whether it is your first rule or your 1000th. Documenting that learning journey is important, especially for most of us late-stage adopters who probably did not major in computer science (there will be a rant on this), so think of committing to this repo as slightly-public diary about malware detection where your pals can help you and encourage you along the way. 12 | 13 | There will be an initial walkthrough for how to use GitHub for this for those that aren't familiar, once I get around to writing it. 14 | 15 | For now, let those YARA ideas ferment and write em down so you have content to spare - #100DaysofYARA2 starts Jan 1, 2023! 16 | -------------------------------------------------------------------------------- /silas/MAL_EXE_LockBit_v2.yar: -------------------------------------------------------------------------------- 1 | rule MAL_EXE_LockBit_v2 2 | { 3 | meta: 4 | author = "Silas Cutler" 5 | description = "Detection for LockBit version 2.x from 2011" 6 | date = "2023-01-01" 7 | version = "1.0" 8 | hash = "00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8" 9 | DaysofYARA = "1/100" 10 | 11 | strings: 12 | $ransom_note01 = "that is located in every encrypted folder." wide 13 | $ransom_note02 = "Would you like to earn millions of dollars?" wide 14 | $ransom_note03 = "Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company." wide 15 | $ransom_note04 = "You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company." wide 16 | $ransom_note05 = "Companies pay us the foreclosure for the decryption of files and prevention of data leak." wide 17 | $ransom_note06 = "You can communicate with us through the Tox messenger" wide 18 | $ransom_note07 = "Using Tox messenger, we will never know your real name, it means your privacy is guaranteed." wide 19 | $ransom_note08 = "If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browser" wide 20 | 21 | $ransom_tox = "3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7" wide 22 | $ransom_url = "http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion" wide 23 | 24 | $str1 = "Active:[ %d [ Completed:[ %d" wide 25 | $str2 = "\\LockBit_Ransomware.hta" wide 26 | 27 | condition: 28 | uint16(0) == 0x5A4D and ( $ransom_tox or $ransom_url) and 2 of ($ransom_note*) and 1 of ($str*) 29 | } 30 | -------------------------------------------------------------------------------- /shellcromancer/tool_nimplant.yar: -------------------------------------------------------------------------------- 1 | rule lang_nim 2 | { 3 | meta: 4 | desc = "Identify a Nim binary regardless of format (PE, Macho, ELF) or arch." 5 | author = "@shellcromancer" 6 | version = "1.0" 7 | last_modified = "2023.01.03" 8 | sample = "8ec44187e50c15a7c4c89af4a1e99c63c855539101ec1ef4588d2e12e05f7d2b" // NimGrabber 9 | 10 | strings: 11 | $nim = "@nim" 12 | 13 | condition: 14 | ( 15 | int16(0) == 0x5a4d or // PE 16 | uint32(0) == 0x464c457f or // ELF 17 | uint32(0) == 0xfeedface or // Mach-O MH_MAGIC 18 | uint32(0) == 0xcefaedfe or // Mach-O MH_CIGAM 19 | uint32(0) == 0xfeedfacf or // Mach-O MH_MAGIC_64 20 | uint32(0) == 0xcffaedfe or // Mach-O MH_CIGAM_64 21 | uint32(0) == 0xcafebabe or // Mach-O FAT_MAGIC 22 | uint32(0) == 0xbebafeca // Mach-O FAT_CIGAM 23 | ) and 24 | #nim > 4 25 | } 26 | 27 | rule tool_nimplant 28 | { 29 | meta: 30 | description = "Identify the Nimplan binary based off strings in their blog." 31 | author = "@shellcromancer " 32 | version = "0.1" 33 | date = "2023-01-03" 34 | reference = "https://casvancooten.com/posts/2021/08/building-a-c2-implant-in-nim-considerations-and-lessons-learned/#introducing-nimplant---a-lightweight-implant-and-c2-framework" 35 | strings: 36 | $name = "nimplant" nocase 37 | 38 | $str0 = "Invalid number of arguments received. Usage: 'reg [query|add] [path] '" 39 | $str1 = "Invalid registry. Only 'HKCU' and 'HKLM' are supported" 40 | $str2 = "Unknown reg command. Please use 'reg query' or 'reg add' followed by the path (and value when adding a key)." 41 | $str3 = "Invalid number of arguments received. Usage: 'upload [local file] [optional: remote file]'." 42 | $str4 = "Something went wrong uploading the file (Nimplant did not receive response from staging server '" 43 | condition: 44 | lang_nim and 45 | ( 46 | $name or 47 | 3 of ($str*) 48 | ) 49 | } 50 | -------------------------------------------------------------------------------- /glesnewich/LICENSE.Detection.Rules.md: -------------------------------------------------------------------------------- 1 | # Detection Rule License (DRL) 1.1 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set (rules authored by Greg Lesnewich under the folder https://github.com/100DaysofYARA/2023/blob/main/glesnewich/) and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions: 4 | 5 | If you share the Rules (including in modified form), you must retain the following if it is supplied within the Rules: 6 | 7 | 1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). 8 | 9 | 2. a URI or hyperlink to the Rule set or explicit Rule to the extent reasonably practicable 10 | 11 | 3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable 12 | 13 | If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules: 14 | 15 | 1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). 16 | 17 | THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES. 18 | -------------------------------------------------------------------------------- /glesnewich/SUSP_LNK_Network_CloudServices.yar: -------------------------------------------------------------------------------- 1 | rule SUSP_LNK_Network_CloudServices_Discord 2 | { 3 | meta: 4 | author = "Greg Lesnewich" 5 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 6 | date = "2023-01-03" 7 | version = "1.0" 8 | DaysofYARA = "3/100" 9 | strings: 10 | $ = "cdn.discordapp.com" ascii wide 11 | condition: 12 | uint32be(0x0) == 0x4C000000 and 13 | 1 of them 14 | } 15 | 16 | rule SUSP_LNK_Network_CloudServices_OneDrive 17 | { 18 | meta: 19 | author = "Greg Lesnewich" 20 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 21 | date = "2023-01-03" 22 | version = "1.0" 23 | DaysofYARA = "3/100" 24 | strings: 25 | $ = "onedrive.live.com" ascii wide 26 | condition: 27 | uint32be(0x0) == 0x4C000000 and 28 | 1 of them 29 | } 30 | 31 | rule SUSP_LNK_Network_CloudServices_OneDrive_API 32 | { 33 | meta: 34 | author = "Greg Lesnewich" 35 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 36 | date = "2023-01-03" 37 | version = "1.0" 38 | DaysofYARA = "3/100" 39 | strings: 40 | $ = "api.live.com" ascii wide 41 | condition: 42 | uint32be(0x0) == 0x4C000000 and 43 | 1 of them 44 | } 45 | 46 | rule SUSP_LNK_Network_CloudServices_GoogleDrive 47 | { 48 | meta: 49 | author = "Greg Lesnewich" 50 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 51 | date = "2023-01-03" 52 | version = "1.0" 53 | DaysofYARA = "3/100" 54 | strings: 55 | $ = "drive.google.com" ascii wide 56 | condition: 57 | uint32be(0x0) == 0x4C000000 and 58 | 1 of them 59 | } 60 | 61 | rule SUSP_LNK_Network_CloudServices_GoogleDocs 62 | { 63 | meta: 64 | author = "Greg Lesnewich" 65 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 66 | date = "2023-01-03" 67 | version = "1.0" 68 | DaysofYARA = "3/100" 69 | strings: 70 | $ = "docs.google.com" ascii wide 71 | condition: 72 | uint32be(0x0) == 0x4C000000 and 73 | 1 of them 74 | } 75 | 76 | rule SUSP_LNK_Network_CloudServices_TransferSH 77 | { 78 | meta: 79 | author = "Greg Lesnewich" 80 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 81 | date = "2023-01-03" 82 | version = "1.0" 83 | DaysofYARA = "3/100" 84 | strings: 85 | $ = "transfer.sh" ascii wide 86 | condition: 87 | uint32be(0x0) == 0x4C000000 and 88 | 1 of them 89 | } 90 | 91 | 92 | rule SUSP_LNK_Network_CloudServices_Discord_Mutations 93 | { 94 | meta: 95 | author = "Greg Lesnewich" 96 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 97 | date = "2023-01-03" 98 | version = "1.0" 99 | DaysofYARA = "3/100" 100 | strings: 101 | $discord_base64 = "discord" base64 base64wide 102 | $discord_xor = "discord" xor(0x01-0xff) ascii wide 103 | $discord_flipflop = "idcsrod" nocase ascii wide 104 | $discord_reverse = "drocsid" nocase ascii wide 105 | $discord_hex_enc_str = "646973636f7264" nocase ascii wide 106 | $discord_decimal = "100 105 115 99 111 114 100" nocase ascii wide 107 | $discord_fallchill = "wrhxliw" nocase ascii wide 108 | $discord_stackpush = "hordhdisc" nocase ascii wide 109 | $discord_stackpushnull = "hord\x00hdisc" 110 | $discord_stackpushdoublenull = "hord\x00\x00hdisc" 111 | condition: 112 | uint32be(0x0) == 0x4C000000 and 113 | 1 of them 114 | } 115 | 116 | rule SUSP_LNK_Network_CloudServices_OneDrive_Mutations 117 | { 118 | meta: 119 | author = "Greg Lesnewich" 120 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 121 | date = "2023-01-03" 122 | version = "1.0" 123 | DaysofYARA = "3/100" 124 | strings: 125 | $onedrive_base64 = "onedrive" base64 base64wide 126 | $onedrive_xor = "onedrive" xor(0x01-0xff) ascii wide 127 | $onedrive_flipflop = "nodeirev" nocase ascii wide 128 | $onedrive_reverse = "evirdeno" nocase ascii wide 129 | $onedrive_hex_enc_str = "6f6e656472697665" nocase ascii wide 130 | $onedrive_decimal = "111 110 101 100 114 105 118 101" nocase ascii wide 131 | $onedrive_fallchill = "lmvwirev" nocase ascii wide 132 | $onedrive_stackpush = "hrivehoned" nocase ascii wide 133 | $onedrive_stackpushnull = "hrive\x00honed" 134 | $onedrive_stackpushdoublenull = "hrive\x00\x00honed" 135 | condition: 136 | uint32be(0x0) == 0x4C000000 and 137 | 1 of them 138 | } 139 | 140 | rule SUSP_LNK_Network_CloudServices_OneDrive_API_Mutations 141 | { 142 | meta: 143 | author = "Greg Lesnewich" 144 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 145 | date = "2023-01-03" 146 | version = "1.0" 147 | DaysofYARA = "3/100" 148 | strings: 149 | $apilivecom_base64 = "api.live.com" base64 base64wide 150 | $apilivecom_xor = "api.live.com" xor(0x01-0xff) ascii wide 151 | $apilivecom_flipflop = "pa.iilevc.mo" nocase ascii wide 152 | $apilivecom_reverse = "moc.evil.ipa" nocase ascii wide 153 | $apilivecom_hex_enc_str = "6170692e6c6976652e636f6d" nocase ascii wide 154 | $apilivecom_decimal = "97 112 105 46 108 105 118 101 46 99 111 109" nocase ascii wide 155 | $apilivecom_fallchill = "akr.orev.xln" nocase ascii wide 156 | $apilivecom_stackpush = "h.comhlivehapi." nocase ascii wide 157 | $apilivecom_stackpushnull = "h.com\x00hlivehapi." 158 | $apilivecom_stackpushdoublenull = "h.com\x00\x00hlivehapi." 159 | condition: 160 | uint32be(0x0) == 0x4C000000 and 161 | 1 of them 162 | } 163 | 164 | rule SUSP_LNK_Network_CloudServices_GoogleDrive_Mutations 165 | { 166 | meta: 167 | author = "Greg Lesnewich" 168 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 169 | date = "2023-01-03" 170 | version = "1.0" 171 | DaysofYARA = "3/100" 172 | strings: 173 | $drivegooglecom_base64 = "drive.google.com" base64 base64wide 174 | $drivegooglecom_xor = "drive.google.com" xor(0x01-0xff) ascii wide 175 | $drivegooglecom_flipflop = "rdvi.eoggoelc.mo" nocase ascii wide 176 | $drivegooglecom_reverse = "moc.elgoog.evird" nocase ascii wide 177 | $drivegooglecom_hex_enc_str = "64726976652e676f6f676c652e636f6d" nocase ascii wide 178 | $drivegooglecom_decimal = "100 114 105 118 101 46 103 111 111 103 108 101 46 99 111 109" nocase ascii wide 179 | $drivegooglecom_fallchill = "wirev.tlltov.xln" nocase ascii wide 180 | $drivegooglecom_stackpush = "h.comhoglehe.gohdriv" nocase ascii wide 181 | $drivegooglecom_stackpushnull = "h.com\x00hoglehe.gohdriv" 182 | $drivegooglecom_stackpushdoublenull = "h.com\x00\x00hoglehe.gohdriv" 183 | condition: 184 | uint32be(0x0) == 0x4C000000 and 185 | 1 of them 186 | } 187 | 188 | rule SUSP_LNK_Network_CloudServices_GoogleDocs_Mutations 189 | { 190 | meta: 191 | author = "Greg Lesnewich" 192 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 193 | date = "2023-01-03" 194 | version = "1.0" 195 | DaysofYARA = "3/100" 196 | strings: 197 | $docsgooglecom_base64 = "docs.google.com" base64 base64wide 198 | $docsgooglecom_xor = "docs.google.com" xor(0x01-0xff) ascii wide 199 | $docsgooglecom_flipflop = "odscg.oolg.eocm" nocase ascii wide 200 | $docsgooglecom_reverse = "moc.elgoog.scod" nocase ascii wide 201 | $docsgooglecom_hex_enc_str = "646f63732e676f6f676c652e636f6d" nocase ascii wide 202 | $docsgooglecom_decimal = "100 111 99 115 46 103 111 111 103 108 101 46 99 111 109" nocase ascii wide 203 | $docsgooglecom_fallchill = "wlxh.tlltov.xln" nocase ascii wide 204 | $docsgooglecom_stackpush = "hcomhgle.h.goohdocs" nocase ascii wide 205 | $docsgooglecom_stackpushnull = "hcom\x00hgle.h.goohdocs" 206 | $docsgooglecom_stackpushdoublenull = "hcom\x00\x00hgle.h.goohdocs" 207 | condition: 208 | uint32be(0x0) == 0x4C000000 and 209 | 1 of them 210 | } 211 | 212 | rule SUSP_LNK_Network_CloudServices_TransferSH_Mutations 213 | { 214 | meta: 215 | author = "Greg Lesnewich" 216 | description = "check for LNK files referencing a common Cloud Service - this may be used to download additional components" 217 | date = "2023-01-03" 218 | version = "1.0" 219 | DaysofYARA = "3/100" 220 | strings: 221 | $transfer_base64 = "transfer.sh" base64 base64wide 222 | $transfer_xor = "transfer.sh" xor(0x01-0xff) ascii wide 223 | $transfersh_flipflop = "rtnafsres.h" nocase ascii wide 224 | $transfersh_reverse = "hs.refsnart" nocase ascii wide 225 | $transfersh_hex_enc_str = "7472616e736665722e7368" nocase ascii wide 226 | $transfersh_decimal = "116 114 97 110 115 102 101 114 46 115 104" nocase ascii wide 227 | $transfersh_fallchill = "giamhuvi.hs" nocase ascii wide 228 | $transfersh_stackpush = "h.shhsferhtran" nocase ascii wide 229 | $transfersh_stackpushnull = "h.s\x00hhsferhtran" 230 | $transfersh_stackpushdoublenull = "h.s\x00\x00hhsferhtran" 231 | condition: 232 | uint32be(0x0) == 0x4C000000 and 233 | 1 of them 234 | } 235 | --------------------------------------------------------------------------------