├── README.md ├── malcat ├── other.yar ├── README.md └── obfuscators.yar ├── yara ├── dotnet │ ├── framework_identiciation.yar │ ├── obf_confuserex.yar │ └── obf_eazfuscator.yar └── thor │ └── vcruntime140_sideloading.yar └── LICENSE.md /README.md: -------------------------------------------------------------------------------- 1 | # detection rules 2 | 3 | This repository contains my detection rules for all kinds of malware and suspicious software. 4 | I mainly work with Yara. 5 | 6 | 7 | -------------------------------------------------------------------------------- /malcat/other.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule SingleFileHost_App_Bundle 4 | { 5 | meta: 6 | name = "DotNet" 7 | category = "compiler" 8 | description = "DotNet singlefilehost app bundle" 9 | author = "Jonathan Peters" 10 | created = "2024-01-03" 11 | reliability = 90 12 | strings: 13 | $ = "singlefilehost.exe" ascii 14 | $ = "singlefilehost.pdb" ascii 15 | condition: 16 | uint16(0) == 0x5a4d and 17 | 1 of them and 18 | pe.exports("DotNetRuntimeInfo") and 19 | pe.exports("CLRJitAttachState") 20 | } 21 | -------------------------------------------------------------------------------- /yara/dotnet/framework_identiciation.yar: -------------------------------------------------------------------------------- 1 | rule DOTNET_SingleFileHost_Bundled_App { 2 | meta: 3 | description = "Detects single file host .NET bundled apps." 4 | author = "Jonathan Peters" 5 | date = "2024-01-02" 6 | reference = "https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file" 7 | strings: 8 | $ = "singlefilehost.exe" ascii 9 | $ = "singlefilehost.pdb" ascii 10 | condition: 11 | uint16(0) == 0x5a4d and 12 | 1 of them and 13 | pe.exports("DotNetRuntimeInfo") and 14 | pe.exports("CLRJitAttachState") 15 | } 16 | -------------------------------------------------------------------------------- /malcat/README.md: -------------------------------------------------------------------------------- 1 | # Malcat specific rules 2 | 3 | These rules are specifically formatted for the Malware Triage tool [Malcat](https://malcat.fr/) 4 | 5 | ## How to use 6 | 7 | 1. Go to your Malcat install folder and then navigate to `...\data\signatures` 8 | 2. Create a new folder I will name it `custom` 9 | 3. Copy the .yar files from this repository into your folder 10 | 4. In the `signatures` folder create a new .yar file (same name as your folder) 11 | 5. Copy the following code into that .yar file 12 | 13 | ``` 14 | include 'custom/obfuscators.yar' 15 | ``` 16 | *Change `custom` to your folder name* 17 | -------------------------------------------------------------------------------- /yara/dotnet/obf_confuserex.yar: -------------------------------------------------------------------------------- 1 | rule SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24 { 2 | meta: 3 | description = "Detects Naming Pattern used by ConfuserEx. ConfuserEx is a widely used open source obfuscator often found in malware" 4 | author = "Jonathan Peters" 5 | date = "2024-01-03" 6 | reference = "https://github.com/yck1509/ConfuserEx/tree/master" 7 | hash = "2f67f590cabb9c79257d27b578d8bf9d1a278afa96b205ad2b4704e7b9a87ca7" 8 | score = 60 9 | strings: 10 | $s1 = "mscoree.dll" ascii 11 | $s2 = "mscorlib" ascii 12 | $s3 = "System.Private.Corlib" ascii 13 | $s4 = "#Strings" ascii 14 | $s5 = { 5F 43 6F 72 [3] 4D 61 69 6E } 15 | 16 | $name_pattern = { E2 ( 80 8? | 81 AA ) E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 [2] E2 80 AE} 17 | condition: 18 | uint16(0) == 0x5a4d 19 | and 2 of ($s*) 20 | and #name_pattern > 5 21 | } 22 | -------------------------------------------------------------------------------- /yara/thor/vcruntime140_sideloading.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule SUSP_VCRuntime_Sideloading_Indicators_Aug23 { 4 | meta: 5 | description = "Detects indicators of .NET based malware sideloading as VCRUNTIME140" 6 | author = "Jonathan Peters" 7 | date = "2023-08-30" 8 | hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6" 9 | score = 75 10 | condition: 11 | (filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll") 12 | and pe.imports("mscoree.dll", "_CorDllMain") 13 | } 14 | 15 | rule SUSP_VCRuntime_Sideloading_Indicators_1_Aug23 { 16 | meta: 17 | description = "Detects indicators of malware sideloading as VCRUNTIME140" 18 | author = "Jonathan Peters" 19 | date = "2023-08-30" 20 | hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6" 21 | score = 75 22 | strings: 23 | $x = "Wine builtin DLL" ascii 24 | condition: 25 | (filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll") 26 | and ( pe.number_of_signatures == 0 27 | or not pe.signatures[0].issuer contain "Microsoft Corporation" ) 28 | and not $x 29 | } 30 | -------------------------------------------------------------------------------- /malcat/obfuscators.yar: -------------------------------------------------------------------------------- 1 | rule Eazfuscator_String_Encryption : suspicious 2 | { 3 | meta: 4 | name = "Eazfuscator" 5 | category = "obfuscation" 6 | description = "Eazfuscator.NET string encryption" 7 | author = "Jonathan Peters" 8 | created = "2024-01-01" 9 | reliability = 90 10 | tlp = "TLP:white" 11 | sample = "3a9ee09ed965e3aee677043ba42c7fdbece0150ef9d1382c518b4b96bbd0e442" 12 | strings: 13 | $sa1 = "StackFrame" ascii 14 | $sa2 = "StackTrace" ascii 15 | $sa3 = "Enter" ascii 16 | $sa4 = "Exit" ascii 17 | 18 | $op1 = { 11 ?? 18 91 11 ?? 1? 91 1F 10 62 60 11 ?? 1? 91 1E 62 60 11 ?? 17 91 1F 18 62 60 } 19 | $op2 = { D1 28 ?? 00 00 0A 0? 1F 10 63 D1 } 20 | $op3 = { 1F 10 63 D1 28 [3] 0A } 21 | $op4 = { 7B ?? 00 00 04 16 91 02 7B ?? 00 00 04 17 91 1E 62 60 02 7B ?? 00 00 04 18 91 1F 10 62 60 02 7B ?? 00 00 04 19 91 1F 18 62 60 } 22 | condition: 23 | uint16(0) == 0x5a4d and 24 | all of ($sa*) and 25 | ( 26 | 2 of ($op*) or 27 | #op1 == 2 28 | ) 29 | } 30 | 31 | rule Eazfuscator_Code_Virtualization : suspicious 32 | { 33 | meta: 34 | name = "Eazfuscator" 35 | category = "obfuscation" 36 | description = "Eazfuscator.NET code virtualization" 37 | author = "Jonathan Peters" 38 | created = "2024-01-01" 39 | reliability = 90 40 | tlp = "TLP:white" 41 | sample = "53d5c2574c7f70b7aa69243916acf6e43fe4258fbd015660032784e150b3b4fa" 42 | strings: 43 | $sa1 = "BinaryReader" ascii 44 | $sa2 = "GetManifestResourceStream" ascii 45 | $sa3 = "get_HasElementType" ascii 46 | 47 | $op1 = { 28 [2] 00 06 28 [2] 00 06 72 [2] 00 70 ?? 1? 2D 0? 26 26 26 26 2B } 48 | $op2 = { 7E [3] 04 2D 3D D0 [3] 02 28 [3] 0A 6F [3] 0A 72 [3] 70 6F [3] 0A 20 80 00 00 00 8D ?? 00 00 01 25 D0 [3] 04 28 [3] 0A 28 [3] 06 28 [3] 06 80 [3] 04 7E [3] 04 2A } // VM Stream Init 49 | $op3 = { 02 20 [4] 1F 09 73 [4] 7D [3] 04 } 50 | condition: 51 | uint16(0) == 0x5a4d and 52 | all of ($sa*) and 53 | 2 of ($op*) 54 | } 55 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | ## Detection Rule License (DRL) 1.1 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this rule set and associated documentation files (the "Rules"), to deal 5 | in the Rules without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 7 | of the Rules, and to permit persons to whom the Rules are furnished to do so, 8 | subject to the following conditions: 9 | 10 | If you share the Rules (including in modified form), you must retain the 11 | following if it is supplied within the Rules: 12 | 13 | 1. identification of the authors(s) ("author" field) of the Rule and any 14 | others designated to receive attribution, in any reasonable manner 15 | requested by the Rule author (including by pseudonym if designated). 16 | 17 | 2. a URI or hyperlink to the Rule set or explicit Rule to the extent 18 | reasonably practicable 19 | 20 | 3. indicate the Rules are licensed under this Detection Rule License, and 21 | include the text of, or the URI or hyperlink to, this Detection Rule 22 | License to the extent reasonably practicable 23 | 24 | If you use the Rules (including in modified form) on data, messages based on 25 | matches with the Rules must retain the following if it is supplied within the 26 | Rules: 27 | 28 | 1. identification of the authors(s) ("author" field) of the Rule and any 29 | others designated to receive attribution, in any reasonable manner 30 | requested by the Rule author (including by pseudonym if designated). 31 | 32 | THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 33 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 34 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 35 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 36 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 37 | OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE 38 | RULES. 39 | -------------------------------------------------------------------------------- /yara/dotnet/obf_eazfuscator.yar: -------------------------------------------------------------------------------- 1 | rule SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24 2 | { 3 | meta: 4 | description = "Detects .NET images obfuscated with Eazfuscator string encryption. Eazfuscator is a widely used commercial obfuscation solution used by both legitimate software and malware." 5 | author = "Jonathan Peters" 6 | date = "2024-01-01" 7 | reference = "https://www.gapotchenko.com/eazfuscator.net" 8 | hash = "3a9ee09ed965e3aee677043ba42c7fdbece0150ef9d1382c518b4b96bbd0e442" 9 | score = 60 10 | strings: 11 | $sa1 = "StackFrame" ascii 12 | $sa2 = "StackTrace" ascii 13 | $sa3 = "Enter" ascii 14 | $sa4 = "Exit" ascii 15 | 16 | $op1 = { 11 ?? 18 91 11 ?? 1? 91 1F 10 62 60 11 ?? 1? 91 1E 62 60 11 ?? 17 91 1F 18 62 60 } 17 | $op2 = { D1 28 ?? 00 00 0A 0? 1F 10 63 D1 } 18 | $op3 = { 1F 10 63 D1 28 [3] 0A } 19 | $op4 = { 7B ?? 00 00 04 16 91 02 7B ?? 00 00 04 17 91 1E 62 60 02 7B ?? 00 00 04 18 91 1F 10 62 60 02 7B ?? 00 00 04 19 91 1F 18 62 60 } // (int)this.\u0003[0] | ((int)this.\u0003[1] << 8) | ((int)this.\u0003[2] << 0x10) | ((int)this.\u0003[3] << 0x18); 20 | condition: 21 | uint16(0) == 0x5a4d 22 | and all of ($sa*) 23 | and ( 24 | 2 of ($op*) 25 | or 26 | #op1 == 2 27 | ) 28 | } 29 | 30 | rule SUSP_OBF_NET_Eazfuscator_Virtualization_Jan24 31 | { 32 | meta: 33 | description = "Detects .NET images obfuscated with Eazfuscator virtualization protection. Eazfuscator is a widely used commercial obfuscation solution used by both legitimate software and malware." 34 | author = "Jonathan Peters" 35 | date = "2024-01-02" 36 | reference = "https://www.gapotchenko.com/eazfuscator.net" 37 | hash = "53d5c2574c7f70b7aa69243916acf6e43fe4258fbd015660032784e150b3b4fa" 38 | score = 60 39 | strings: 40 | $sa1 = "BinaryReader" ascii 41 | $sa2 = "GetManifestResourceStream" ascii 42 | $sa3 = "get_HasElementType" ascii 43 | 44 | $op1 = { 28 [2] 00 06 28 [2] 00 06 72 [2] 00 70 ?? 1? 2D 0? 26 26 26 26 2B } 45 | $op2 = { 7E [3] 04 2D 3D D0 [3] 02 28 [3] 0A 6F [3] 0A 72 [3] 70 6F [3] 0A 20 80 00 00 00 8D ?? 00 00 01 25 D0 [3] 04 28 [3] 0A 28 [3] 06 28 [3] 06 80 [3] 04 7E [3] 04 2A } // VM Stream Init 46 | $op3 = { 02 20 [4] 1F 09 73 [4] 7D [3] 04 } 47 | condition: 48 | uint16(0) == 0x5a4d 49 | and all of ($sa*) 50 | and 2 of ($op*) 51 | } 52 | --------------------------------------------------------------------------------