├── .gitignore ├── .gitattributes ├── yara └── rules │ ├── Linux_Trojan_Ebury.yar │ ├── Linux_Trojan_Marut.yar │ ├── Linux_Trojan_Godlua.yar │ ├── Linux_Trojan_Zpevdo.yar │ ├── Multi_EICAR.yar │ ├── Windows_Shellcode_Generic.yar │ ├── Linux_Virus_Rst.yar │ ├── Linux_Exploit_Alie.yar │ ├── Linux_Exploit_Foda.yar │ ├── Linux_Trojan_Bish.yar │ ├── Linux_Trojan_Lala.yar │ ├── Linux_Trojan_Masan.yar │ ├── Linux_Trojan_Mech.yar │ ├── Linux_Trojan_Nuker.yar │ ├── Linux_Trojan_Sckit.yar │ ├── Linux_Trojan_Sqlexp.yar │ ├── Linux_Virus_Thebe.yar │ ├── Linux_Exploit_Abrox.yar │ ├── Linux_Exploit_Openssl.yar │ ├── Linux_Exploit_Ramen.yar │ ├── Linux_Exploit_Wuftpd.yar │ ├── Linux_Hacktool_Aduh.yar │ ├── Linux_Rootkit_Adore.yar │ ├── Linux_Trojan_Rooter.yar │ ├── Linux_Trojan_Sshdkit.yar │ ├── Linux_Trojan_Subsevux.yar │ ├── Linux_Trojan_Truncpx.yar │ ├── Linux_Trojan_Xpmmap.yar │ ├── Linux_Exploit_Courier.yar │ ├── Linux_Exploit_Dirtycow.yar │ ├── Linux_Exploit_Moogrey.yar │ ├── Linux_Trojan_Bluez.yar │ ├── Linux_Trojan_Sysrv.yar │ ├── Windows_Trojan_ProtectS.yar │ ├── Linux_Backdoor_Bash.yar │ ├── Linux_Exploit_CVE_2021_4034.yar │ ├── Linux_Exploit_Criscras.yar │ ├── Linux_Exploit_Race.yar │ ├── Linux_Hacktool_Prochide.yar │ ├── Linux_Hacktool_Tcpscan.yar │ ├── Linux_Trojan_Cerbu.yar │ ├── Linux_Trojan_Godropper.yar │ ├── Linux_Trojan_Lady.yar │ ├── Linux_Trojan_Neshta.yar │ ├── Linux_Trojan_Rozena.yar │ ├── Linux_Trojan_Sdbot.yar │ ├── Linux_Trojan_Torii.yar │ ├── Windows_Exploit_Dcom.yar │ ├── Linux_Trojan_Asacub.yar │ ├── Linux_Trojan_Backegmm.yar │ ├── Linux_Trojan_Badbee.yar │ ├── Linux_Trojan_Banload.yar │ ├── Linux_Trojan_Bedevil.yar │ ├── Linux_Trojan_Chinaz.yar │ ├── Linux_Trojan_Dnsamp.yar │ ├── Linux_Trojan_Hiddad.yar │ ├── Linux_Trojan_Mechbot.yar │ ├── Linux_Trojan_Morpes.yar │ ├── Linux_Trojan_Pidief.yar │ ├── Linux_Trojan_Pnscan.yar │ ├── Linux_Trojan_Sfloost.yar │ ├── Linux_Trojan_Shark.yar │ ├── Linux_Trojan_Shellbot.yar │ ├── Linux_Trojan_Skidmap.yar │ ├── Windows_Rootkit_R77.yar │ ├── Windows_Trojan_CaesarKbd.yar │ ├── Linux_Backdoor_Python.yar │ ├── Linux_Exploit_Intfour.yar │ ├── Linux_Rootkit_Arkd.yar │ ├── Linux_Trojan_Adlibrary.yar │ ├── Linux_Virus_Staffcounter.yar │ ├── Windows_Trojan_Farfli.yar │ ├── Linux_Cryptominer_Bscope.yar │ ├── Linux_Cryptominer_Ursu.yar │ ├── Linux_Cryptominer_Xpaj.yar │ ├── Linux_Cryptominer_Zexaf.yar │ ├── Linux_Ransomware_Hive.yar │ ├── Linux_Rootkit_Dakkatoni.yar │ ├── Linux_Trojan_Azeela.yar │ ├── Linux_Trojan_Connectback.yar │ ├── Linux_Trojan_Mumblehard.yar │ ├── Linux_Trojan_Pornoasset.yar │ ├── Linux_Trojan_Rotajakiro.yar │ ├── Linux_Trojan_Sambashell.yar │ ├── MacOS_Backdoor_Applejeus.yar │ ├── MacOS_Virus_Pirrit.yar │ ├── Windows_Trojan_Lucifer.yar │ ├── Windows_Trojan_Lurker.yar │ ├── Linux_Cryptominer_Casdet.yar │ ├── Linux_Cryptominer_Minertr.yar │ ├── Linux_Ransomware_Gonnacry.yar │ ├── Linux_Trojan_Backconnect.yar │ ├── Linux_Trojan_Merlin.yar │ ├── MacOS_Trojan_Fplayer.yar │ ├── MacOS_Trojan_Generic.yar │ ├── Windows_Cryptominer_Generic.yar │ ├── Windows_Exploit_Eternalblue.yar │ ├── Windows_Ransomware_Rook.yar │ ├── Linux_Cryptominer_Attribute.yar │ ├── Linux_Cryptominer_Miancha.yar │ ├── Linux_Downloader_Generic.yar │ ├── Linux_Exploit_CVE_2009_1897.yar │ ├── Linux_Exploit_CVE_2009_2908.yar │ ├── Linux_Exploit_CVE_2016_4557.yar │ ├── MacOS_Trojan_Aobokeylogger.yar │ ├── MacOS_Trojan_Getshell.yar │ ├── Windows_Ransomware_Conti.yar │ ├── Windows_Trojan_Merlin.yar │ ├── Linux_Cryptominer_Presenoker.yar │ ├── Linux_Exploit_CVE_2017_100011.yar │ ├── Linux_Exploit_CVE_2018_10561.yar │ ├── Linux_Exploit_CVE_2019_13272.yar │ ├── Windows_Trojan_DBatLoader.yar │ ├── Linux_Exploit_CVE_2014_3153.yar │ ├── Linux_Hacktool_Infectionmonkey.yar │ ├── Linux_Ransomware_Sodinokibi.yar │ ├── Windows_Trojan_ArkeiStealer.yar │ ├── Windows_Trojan_Limerat.yar │ ├── Linux_Hacktool_Exploitscan.yar │ ├── Windows_AttackSimulation_Hovercraft.yar │ ├── Windows_Trojan_Xpertrat.yar │ ├── Windows_Trojan_Octopus.yar │ ├── Linux_Packer_Patched_UPX.yar │ ├── Windows_Ransomware_Pandora.yar │ ├── Windows_Ransomware_Stop.yar │ ├── MacOS_Backdoor_Useragent.yar │ ├── Windows_Trojan_Hancitor.yar │ ├── Windows_Ransomware_Lockfile.yar │ ├── Windows_Trojan_Remcos.yar │ ├── MacOS_Cryptominer_Xmrig.yar │ ├── Windows_Trojan_Babylonrat.yar │ ├── MacOS_Backdoor_Keyboardrecord.yar │ ├── MacOS_Trojan_Electrorat.yar │ ├── Windows_Ransomware_Mespinoza.yar │ ├── Windows_Trojan_Bitrat.yar │ ├── Windows_Trojan_Revengerat.yar │ ├── Windows_Trojan_Jupyter.yar │ ├── MacOS_Trojan_Eggshell.yar │ ├── Windows_Trojan_A310logger.yar │ ├── MacOS_Backdoor_Fakeflashlxk.yar │ ├── Windows_Trojan_Gh0st.yar │ ├── Windows_Ransomware_Ransomexx.yar │ ├── Windows_Trojan_OskiStealer.yar │ ├── Windows_Trojan_Pandastealer.yar │ ├── Multi_Trojan_Bishopsliver.yar │ ├── Linux_Exploit_Log4j.yar │ ├── MacOS_Exploit_Log4j.yar │ ├── Windows_Ransomware_Avoslocker.yar │ ├── Windows_Trojan_WhisperGate.yar │ ├── Windows_Trojan_DiamondFox.yar │ ├── Windows_Trojan_Remotemanipulator.yar │ ├── Windows_Exploit_Log4j.yar │ ├── Windows_Trojan_Darkcomet.yar │ ├── Windows_Trojan_Hawkeye.yar │ ├── Linux_Backdoor_Tinyshell.yar │ ├── Windows_Trojan_Cryptbot.yar │ ├── Windows_Trojan_Azorult.yar │ ├── Windows_Wiper_HermeticWiper.yar │ ├── Windows_Trojan_Njrat.yar │ ├── Windows_Trojan_Revcoderat.yar │ ├── Windows_Trojan_StormKitty.yar │ ├── Windows_Trojan_SystemBC.yar │ ├── Windows_Wiper_CaddyWiper.yar │ ├── MacOS_Backdoor_Kagent.yar │ ├── Windows_Trojan_Pony.yar │ ├── Windows_Wiper_DoubleZero.yar │ ├── Windows_Ransomware_Generic.yar │ ├── Windows_Trojan_Asyncrat.yar │ ├── Windows_Trojan_DCRat.yar │ ├── Windows_Trojan_Quasarrat.yar │ ├── Windows_Trojan_Tofsee.yar │ ├── Linux_Rootkit_Fontonlake.yar │ ├── Windows_Wiper_IsaacWiper.yar │ ├── Windows_Trojan_Danabot.yar │ ├── Linux_Hacktool_Wipelog.yar │ ├── Windows_Trojan_SVCReady.yar │ ├── Windows_Hacktool_Dcsyncer.yar │ ├── Windows_Trojan_Buerloader.yar │ ├── Windows_Trojan_Carberp.yar │ ├── Windows_Ransomware_Mountlocker.yar │ ├── Linux_Hacktool_Fontonlake.yar │ ├── Windows_Trojan_Zeus.yar │ ├── Linux_Proxy_Frp.yar │ ├── MacOS_Hacktool_Bifrost.yar │ ├── Windows_Ransomware_Helloxd.yar │ ├── Windows_Trojan_XtremeRAT.yar │ ├── Linux_Exploit_CVE_2022_0847.yar │ ├── Windows_Trojan_Kronos.yar │ ├── Windows_Trojan_MassLogger.yar │ ├── Linux_Exploit_CVE_2021_3490.yar │ ├── Windows_Ransomware_Grief.yar │ ├── Windows_Trojan_Nanocore.yar │ ├── Linux_Backdoor_Fontonlake.yar │ ├── Windows_Trojan_Pingpull.yar │ ├── Linux_Cryptominer_Bulz.yar │ ├── MacOS_Virus_Vsearch.yar │ ├── Windows_Trojan_Donutloader.yar │ ├── Linux_Trojan_Setag.yar │ ├── Linux_Trojan_Ganiw.yar │ ├── Linux_Cryptominer_Flystudio.yar │ └── Windows_Trojan_SnakeKeylogger.yar ├── .github ├── ISSUE_TEMPLATE │ ├── behavior_custom_issue.md │ ├── behavior_bug_issue.md │ └── yara_rule_tuning.md └── workflows │ └── duplicate_issue.yml └── behavior └── rules ├── execution_eggshell_backdoor_execution.toml ├── defense_evasion_renamed_autoit_scripts_interpreter.toml ├── defense_evasion_potential_defense_evasion_via_filter_manager_control_program.toml ├── credential_access_dumping_account_hashes_via_built_in_commands.toml ├── privilege_escalation_suspicious_windows_service_execution.toml ├── credential_access_potential_access_to_kerberos_cached_credentials.toml ├── credential_access_lsa_dump_via_silentprocessexit.toml ├── command_and_control_netwire_rat_registry_modification.toml ├── execution_privilege_escalation_enumeration_via_linpeas.toml ├── execution_suspicious_automator_workflows_execution.toml ├── privilege_escalation_privilege_escalation_via_named_pipe_impersonation.toml ├── defense_evasion_operating_system_security_updates_disabled.toml └── command_and_control_suspicious_netsupport_execution.toml /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.yar text eol=lf 2 | *.toml text eol=lf 3 | *.lua text eol=lf 4 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Ebury.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Ebury_7b13e9b6 { 2 | meta: 3 | id = "7b13e9b6-ce96-4bd3-8196-83420280bd1f" 4 | fingerprint = "a891724ce36e86637540f722bc13b44984771f709219976168f12fe782f08306" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Ebury" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "linux" 13 | strings: 14 | $a = { 8B 44 24 10 4C 8B 54 24 18 4C 8B 5C 24 20 8B 5C 24 28 74 04 } 15 | condition: 16 | all of them 17 | } 18 | 19 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Marut.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Marut_47af730d { 2 | meta: 3 | id = "47af730d-1e03-4d27-9661-84fb12b593bd" 4 | fingerprint = "4429ef9925aff797ab973f9a5b0efc160a516f425e3b024f22e5a5ddad26c341" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Marut" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "linux" 13 | strings: 14 | $a = { 20 89 34 24 FF D1 8B 44 24 0C 0F B6 4C 24 04 8B 54 24 08 85 D2 } 15 | condition: 16 | all of them 17 | } 18 | 19 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Godlua.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Godlua_ed8e6228 { 2 | meta: 3 | id = "ed8e6228-d5be-4b8e-8dc2-7072b1236bfa" 4 | fingerprint = "9b73c2bbbe1bc43ae692f03b19cd23ad701f0120dff0201dd2a6722c44ea51ed" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Godlua" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "linux" 13 | strings: 14 | $a = { C0 18 48 89 45 E8 EB 60 48 8B 85 58 FF FF FF 48 83 C0 20 48 89 } 15 | condition: 16 | all of them 17 | } 18 | 19 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Zpevdo.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Zpevdo_7f563544 { 2 | meta: 3 | id = "7f563544-4ef3-460f-9a36-23d086f9c421" 4 | fingerprint = "a2113b38c27ee7e22313bd0ffbcabadfbf7f3f33d241a97db2dc86299775afd6" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Zpevdo" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "linux" 13 | strings: 14 | $a = { 55 48 89 E5 48 83 EC 20 89 7D EC 48 89 75 E0 BE 01 00 00 00 BF 11 00 } 15 | condition: 16 | all of them 17 | } 18 | 19 | -------------------------------------------------------------------------------- /yara/rules/Multi_EICAR.yar: -------------------------------------------------------------------------------- 1 | rule Multi_EICAR_ac8f42d6 { 2 | meta: 3 | id = "ac8f42d6-52da-46ec-8db1-5a5f69222a38" 4 | fingerprint = "bb0e0bdf70ec65d98f652e2428e3567013d5413f2725a2905b372fd18da8b9dd" 5 | creation_date = "2021-01-21" 6 | last_modified = "2022-01-13" 7 | threat_name = "Multi.EICAR.Not-a-virus" 8 | severity = 1 9 | arch_context = "x86, arm64" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "multi" 13 | strings: 14 | $a = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ascii fullword 15 | condition: 16 | all of them 17 | } 18 | 19 | -------------------------------------------------------------------------------- /yara/rules/Windows_Shellcode_Generic.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Shellcode_Generic_8c487e57 { 2 | meta: 3 | id = "8c487e57-4b8c-488e-a1d9-786ff935fd2c" 4 | fingerprint = "834caf96192a513aa93ac48fb8d2f3326bf9f08acaf7a27659f688b26e3e57e4" 5 | creation_date = "2022-05-23" 6 | last_modified = "2022-07-18" 7 | threat_name = "Windows.Shellcode.Generic" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "windows" 13 | strings: 14 | $a = { FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 } 15 | condition: 16 | all of them 17 | } 18 | 19 | -------------------------------------------------------------------------------- /yara/rules/Linux_Virus_Rst.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Virus_Rst_1214e2ae { 2 | meta: 3 | id = "1214e2ae-90e4-425e-b47f-0a0981623236" 4 | fingerprint = "a13a9825815a417be991db57f80dac4d0c541e303e4a4e6bd03c46ece73703ea" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Virus.Rst" 8 | reference_sample = "b0e4f44d2456960bb6b20cb468c4ca1390338b83774b7af783c3d03e49eebe44" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 00 00 00 53 89 F3 CD 80 5B 58 5F 5E 5A 59 5B C3 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/behavior_custom_issue.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Behavior - Report a custom issue 3 | about: Custom Issue reported 4 | title: "[Custom]: Concise title" 5 | labels: custom, behavior 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Description 11 | 12 | Provide a detailed description of the issue. 13 | 14 | ## Optional Info 15 | 16 | - **Screenshots** 17 | 18 | - **Example Data** 19 | 20 | Any available data or timeline information here, pasted or attached: 21 | 22 | ```json 23 | { 24 | "paste_dataz": "here" 25 | } 26 | ``` 27 | 28 | - **Additional Requirements** 29 | Any additional configuration required for the query to work (e.g. sysmon, config modification, etc.) 30 | 31 | 32 | ## References 33 | - https://sample.link.com/ 34 | 35 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Alie.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Alie_e69de1ee { 2 | meta: 3 | id = "e69de1ee-294d-437e-a943-abb731842523" 4 | fingerprint = "01fa5343fa0fb60c320f9fa49beb9c7a8a821ace7f1d6e48ea103e746b3f27a2" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Alie" 8 | reference_sample = "882839549f062ab4cbe6df91336ed320eaf6c2300fc2ed64d1877426a0da567d" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 0C 8D 4B 08 8D 53 0C B0 0B CD 80 89 C3 31 C0 B0 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Foda.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Foda_f41e9ef9 { 2 | meta: 3 | id = "f41e9ef9-b280-44cb-b877-ac998eea84d3" 4 | fingerprint = "d24064932ef3a972970ce446d465c28379bf83b1b72f5bf77d1def3074747a8e" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Foda" 8 | reference_sample = "6059a6dd039b5efa36ce97acbb01406128aaf6062429474e422624ee69783ca8" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { C0 50 89 E2 53 89 E1 B0 0B CD 80 31 C0 B0 01 CD } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Bish.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Bish_974b4b47 { 2 | meta: 3 | id = "974b4b47-38cf-4460-8ff3-e066e5c8a5fc" 4 | fingerprint = "8858f99934e367b7489d60bfaa74ab57e2ae507a8c06fb29693197792f6f5069" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Bish" 8 | reference_sample = "9171fd2bbe182f0a3cd35937f3ee0076c9358f52f5bc047498dd9e233ae11757" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 00 31 C0 31 DB 31 C9 B0 17 CD 80 31 C0 50 68 6E } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Lala.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Lala_51deb1f9 { 2 | meta: 3 | id = "51deb1f9-2d5f-4c41-99f3-138c15c35804" 4 | fingerprint = "220bcaa4f18b9474ddd3da921e1189d17330f0eb98fa55a193127413492fb604" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Lala" 8 | reference_sample = "f3af65d3307fbdc2e8ce6e1358d1413ebff5eeb5dbedc051394377a4dabffa82" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { D9 7C F3 89 D8 83 7D FC 00 7D 02 F7 D8 8B 55 08 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Masan.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Masan_5369c678 { 2 | meta: 3 | id = "5369c678-9a74-42fe-a4b3-b4d48126bb22" 4 | fingerprint = "5fd243bf05cafd7db33d6c0167f77148ae53983906e917e174978130ae08062a" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Masan" 8 | reference_sample = "f2de9f39ca3910d5b383c245d8ca3c1bdf98e2309553599e0283062e0aeff17f" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 89 C0 89 45 E4 83 7D E4 FF 75 ?? 68 ?? 90 04 08 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Mech.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Mech_d30ec0a0 { 2 | meta: 3 | id = "d30ec0a0-3fd6-4d83-ad29-9d45704bc8ce" 4 | fingerprint = "061e9f1aade510132674d87ab5981e5b6b0ae3a2782a97d8cc6c2be7b26c6454" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Mech" 8 | reference_sample = "710d1a0a8c7eecc6d793933c8a97cec66d284b3687efee7655a2dc31d15c0593" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 6E 63 20 2D 20 4C 69 6E 75 78 20 32 2E 32 2E 31 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Nuker.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Nuker_12f26779 { 2 | meta: 3 | id = "12f26779-bda5-45b1-925f-75c620d7d840" 4 | fingerprint = "9093a96321ad912f2bb953cce460d0945c1c4e5aacd8431f343498203b85bb9b" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Nuker" 8 | reference_sample = "440105a62c75dea5575a1660fe217c9104dc19fb5a9238707fe40803715392bf" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { C4 18 89 45 D8 83 7D D8 FF 75 17 68 ?? ?? 04 08 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sckit.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Sckit_a244328f { 2 | meta: 3 | id = "a244328f-1e12-4ae6-b583-ecf14a4b9d82" 4 | fingerprint = "eca152c730ecabbc9fe49173273199cb37b343d038084965ad880ddba3173f50" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Sckit" 8 | reference_sample = "685da66303a007322d235b7808190c3ea78a828679277e8e03e6d8d511df0a30" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 34 D0 04 08 BB 24 C3 04 08 CD 80 C7 05 A0 EE 04 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sqlexp.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Sqlexp_1aa5001e { 2 | meta: 3 | id = "1aa5001e-0609-4830-9c6f-675985fa50cf" 4 | fingerprint = "afce33f5bf064afcbd8b1639755733c99171074457272bf08f0c948d67427808" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Sqlexp" 8 | reference_sample = "714a520fc69c54bcd422e75f4c3b71ce636cfae7fcec3c5c413d1294747d2dd6" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 89 E3 52 53 89 E1 B0 0B CD 80 00 00 ?? 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Virus_Thebe.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Virus_Thebe_1eb5985a { 2 | meta: 3 | id = "1eb5985a-2b35-434f-81d9-f502dff25397" 4 | fingerprint = "5cf9aa9a31c36028025d5038c98d56aef32c9e8952aa5cd4152fbd811231769e" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Virus.Thebe" 8 | reference_sample = "30af289be070f4e0f8761f04fb44193a037ec1aab9cc029343a1a1f2a8d67670" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 42 31 C9 31 DB 31 F6 B0 1A CD 80 85 C0 0F 85 83 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Abrox.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Abrox_5641ba81 { 2 | meta: 3 | id = "5641ba81-2c37-4dd1-82d8-532182e8ed15" 4 | fingerprint = "d2abedb6182f86982ebe283215331ce238fda3964535047768f2ea55719b052f" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Abrox" 8 | reference_sample = "8de96c8e61536cae870f4a24127d28b86bd8122428bf13965c596f92182625aa" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 04 58 CD 80 6A 17 58 31 DB CD 80 31 D2 52 68 2E } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Openssl.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Openssl_47c6fad7 { 2 | meta: 3 | id = "47c6fad7-0582-4a7a-9c51-68830e6b6132" 4 | fingerprint = "bde819830cc991269275ce5de2db50489368c821271aaa397ab914011f2fcb91" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Openssl" 8 | reference_sample = "8024af0931dff24b5444f0b06a27366a776014358aa0b7fc073030958f863ef8" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 31 C9 F7 E1 51 5B B0 A4 CD 80 31 C0 50 68 2F } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Ramen.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Ramen_01b205eb { 2 | meta: 3 | id = "01b205eb-4718-4ffd-9fdc-b9de567c4603" 4 | fingerprint = "a39afcf7cec82dc511fd39b4a019ef161250afe7cb0880e488badb56d021cc9f" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Ramen" 8 | reference_sample = "c0b6303300f38013840abe17abe192db6a99ace78c83bc7ef705f5c568bc98fd" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 00 31 C0 31 DB 31 C9 B0 46 CD 80 31 C0 31 DB 43 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Wuftpd.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Wuftpd_0991e62f { 2 | meta: 3 | id = "0991e62f-af72-416a-b88b-6bc8a501b8bb" 4 | fingerprint = "642c7b059fa604a0a5110372e2247da9625b07008b012fd498670a6dd1b29974" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Wuftpd" 8 | reference_sample = "c0b6303300f38013840abe17abe192db6a99ace78c83bc7ef705f5c568bc98fd" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { F3 8D 4E 08 8D 56 0C B0 0B CD 80 31 C0 31 DB } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Aduh.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Hacktool_Aduh_6cae7c78 { 2 | meta: 3 | id = "6cae7c78-a4b4-4096-9f7c-746b1e5a1e38" 4 | fingerprint = "8d7b0c1a95ec15c7d1ede5670ccd448b166467ed8eb2b4f38ebbb2c8bc323cdc" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Hacktool.Aduh" 8 | reference_sample = "9c67207546ad274dc78a0819444d1c8805537f9ac36d3c53eba9278ed44b360c" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { E3 51 89 E2 51 89 E1 B0 0B CD 80 31 C0 B0 01 CD } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Adore.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Rootkit_Adore_fe3fd09f { 2 | meta: 3 | id = "fe3fd09f-d170-4bb0-bc8d-6d61bdc22164" 4 | fingerprint = "2bab2a4391359c6a7148417b010887d0754b91ac99820258e849e81f7752069f" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Rootkit.Adore" 8 | reference_sample = "f4e532b840e279daf3d206e9214a1b065f97deb7c1487a34ac5cbd7cbbf33e1a" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 89 C0 89 45 F4 83 7D F4 00 75 17 68 E4 A1 04 08 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Rooter.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Rooter_c8d08d3a { 2 | meta: 3 | id = "c8d08d3a-ff9c-4545-9f09-45fbe5b534f3" 4 | fingerprint = "2a09f9fabfefcf44c71ee17b823396991940bedd7a481198683ee3e88979edf4" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Rooter" 8 | reference_sample = "f55e3aa4d875d8322cdd7caa17aa56e620473fe73c9b5ae0e18da5fbc602a6ba" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { D8 DC 04 08 BB 44 C3 04 08 CD 80 C7 05 48 FB 04 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sshdkit.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Sshdkit_18a0b82a { 2 | meta: 3 | id = "18a0b82a-94ff-4328-bfa7-25034f170522" 4 | fingerprint = "9bd28a490607b75848611389b39cf77229cfdd1e885f23c5439d49773924ce16" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Sshdkit" 8 | reference_sample = "003245047359e17706e4504f8988905a219fcb48865afea934e6aafa7f97cef6" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 06 2A CA 37 F2 31 18 0E 2F 47 CD 87 9D 16 3F 6D } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Subsevux.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Subsevux_e9e80c1e { 2 | meta: 3 | id = "e9e80c1e-c064-47cf-91f2-0561dd5c9bcd" 4 | fingerprint = "bbd7a2d80e545d0cae7705a53600f6b729918a3d655bc86b2db83f15d4e550e3" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Subsevux" 8 | reference_sample = "a4ccd399ea99d4e31fbf2bbf8017c5368d29e630dc2985e90f07c10c980fa084" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 89 C0 89 45 F4 83 7D F4 00 79 1C 83 EC 0C 68 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Truncpx.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Truncpx_894d60f8 { 2 | meta: 3 | id = "894d60f8-bea6-4b09-b8ab-526308575a01" 4 | fingerprint = "440ce5902642aeef56b6989df4462d01faadc479f1362c0ed90d1011e8737bc3" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Truncpx" 8 | reference_sample = "2f09f2884fd5d3f5193bfc392656005bce6b935c12b3049ac8eb96862e4645ba" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { B9 51 FE 88 63 A1 08 08 09 C5 1A FF D3 AB B2 28 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Xpmmap.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Xpmmap_7dcc3534 { 2 | meta: 3 | id = "7dcc3534-e94c-4c92-ac9b-a82b00fb045b" 4 | fingerprint = "397618543390fb8fd8b198f63034fe88b640408d75b769fb337433138dafcf66" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Xpmmap" 8 | reference_sample = "765546a981921187a4a2bed9904fbc2ccb2a5876e0d45c72e79f04a517c1bda3" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 48 89 45 F8 48 83 7D F8 FF 75 14 BF 10 0C 40 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Courier.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Courier_190258dd { 2 | meta: 3 | id = "190258dd-1384-4144-aa05-7957ca0b464b" 4 | fingerprint = "4ba94b87847a76df80200d40383d2d289dc463faa609237dbc43f317db45074d" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Courier" 8 | reference_sample = "349866d0fb81d07a35b53eac6f11176721629bbd692526851e483eaa83d690c3" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { E3 31 C0 50 54 53 50 B0 3B CD 80 31 C0 B0 01 CD } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Dirtycow.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Dirtycow_8555f149 { 2 | meta: 3 | id = "8555f149-0c91-4384-9199-8250c0fd74fd" 4 | fingerprint = "3d607c7ba6667c375eaab454debf8745746230d08a00499395a275e5bd05b3e4" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Dirtycow" 8 | reference_sample = "0fd66e120f97100e48c65322b946b812fa9df4cfb533fb327760a999e4d43945" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 83 45 F8 01 81 7D F8 FF E0 F5 05 7E ?? 8B 45 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Moogrey.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Moogrey_81131b66 { 2 | meta: 3 | id = "81131b66-788e-4456-9cb4-ffade713e8d4" 4 | fingerprint = "d21e48c7afe580a764153ca489c24a7039ae663ebb281a4605f3a230a963e33e" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Moogrey" 8 | reference_sample = "cc27b9755bd9feb1fb2c510f66e36c20a1503e6769cdaeee2bea7fe962d22ccc" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 89 C0 89 45 D4 83 7D D4 00 79 1A 83 EC 0C 68 50 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Bluez.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Bluez_50e87fa9 { 2 | meta: 3 | id = "50e87fa9-f053-4507-ae10-b5d33b693bb3" 4 | fingerprint = "67855d65973d0bbdad90299f1432e7f0b4b8b1e6dfd0737ee5bee89161f2a890" 5 | creation_date = "2021-06-28" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Bluez" 8 | reference = "1e526b6e3be273489afa8f0a3d50be233b97dc07f85815cc2231a87f5a651ef1" 9 | severity = "100" 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 63 68 72 00 6B 69 6C 6C 00 73 74 72 6C 65 6E 00 62 69 6E 64 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sysrv.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Sysrv_85097f24 { 2 | meta: 3 | id = "85097f24-2e2e-41e4-8769-dca7451649cc" 4 | fingerprint = "1cad651c92a163238f8d60d2e3670f229b4aafd6509892b9dcefe014b39c6f7d" 5 | creation_date = "2021-06-28" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Sysrv" 8 | reference = "17fbc8e10dea69b29093fcf2aa018be4d58fe5462c5a0363a0adde60f448fb26" 9 | severity = "100" 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 32 26 02 0F 80 0C 0A FF 0B 02 02 22 04 2B 02 16 02 1C 01 0C 09 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_ProtectS.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_ProtectS_9f6eaa90 { 2 | meta: 3 | id = "9f6eaa90-b3d4-4f0f-a81e-8010be0a6d36" 4 | fingerprint = "46bf59901876794dcc338923076939d765d3ce7f14d784b9687fbc05461ed6b4" 5 | creation_date = "2022-04-04" 6 | last_modified = "2022-06-09" 7 | threat_name = "Windows.Trojan.ProtectS" 8 | reference_sample = "c0330e072b7003f55a3153ac3e0859369b9c3e22779b113284e95ce1e2ce2099" 9 | severity = 50 10 | arch_context = "x86" 11 | scan_context = "file" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $str1 = "\\ProtectS.pdb" 16 | condition: 17 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Backdoor_Bash.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Backdoor_Bash_e427876d { 2 | meta: 3 | id = "e427876d-c7c5-447a-ad6d-5cbc12d9dacf" 4 | fingerprint = "6cc13bb2591d896affc58f4a22b3463a72f6c9d896594fe1714b825e064b0956" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Backdoor.Bash" 8 | reference_sample = "07db41a4ddaac802b04df5e5bbae0881fead30cb8f6fa53a8a2e1edf14f2d36b" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 67 65 44 6F 6B 4B 47 6C 6B 49 43 31 31 4B 54 6F 67 4C 32 56 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2021_4034.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_CVE_2021_4034_1c8f235d { 2 | meta: 3 | id = "1c8f235d-1345-4d5f-a5db-427dbbe6fc9a" 4 | fingerprint = "b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6" 5 | creation_date = "2022-01-26" 6 | last_modified = "2022-07-22" 7 | threat_name = "Linux.Exploit.CVE-2021-4034" 8 | reference_sample = "94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $s1 = "PATH=GCONV_PATH=" 16 | $s2 = "pkexec" 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Criscras.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Criscras_fc505c1d { 2 | meta: 3 | id = "fc505c1d-f77d-48cc-b8fe-7b24b9cc6a97" 4 | fingerprint = "bc5e980599c4c8fc3c9b560738d7187a0c91e2813c64b3ad0ff014230100c8d8" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Criscras" 8 | reference_sample = "7399f6b8fbd6d6c6fb56ab350c84910fe19cc5da67e4de37065ff3d4648078ab" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 0C 89 21 89 E3 31 C0 B0 0B CD 80 31 C0 FE C0 CD } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Race.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Race_758a0884 { 2 | meta: 3 | id = "758a0884-0174-46c8-a57a-980fc04360d0" 4 | fingerprint = "3516086ae773ec1c1de75a54bafbb72ad49b4c7f1661961d5613462b53f26c43" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Race" 8 | reference_sample = "a4966baaa34b05cb782071ef114a53cac164e6dece275c862fe96a2cff4a6f06" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 00 22 00 00 00 36 00 00 00 18 85 04 08 34 00 00 00 12 00 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Prochide.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Hacktool_Prochide_7333221a { 2 | meta: 3 | id = "7333221a-b3dc-4b26-8ec7-7e4f5405e228" 4 | fingerprint = "e3aa99d48a8554dfaf9f7d947170e6e169b99bf5b6347d4832181e80cc2845cf" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Hacktool.Prochide" 8 | reference_sample = "fad956a6a38abac8a8a0f14cc50f473ec6fc1c9fd204e235b89523183931090b" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { FF FF 83 BD 9C FC FF FF FF 75 14 BF 7F 22 40 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Tcpscan.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Hacktool_Tcpscan_334d0ca5 { 2 | meta: 3 | id = "334d0ca5-d143-4a32-8632-9fbdd2d96987" 4 | fingerprint = "1f8fc064770bd76577b9455ae858d8a98b573e01a199adf2928d8433d990eaa7" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Hacktool.Tcpscan" 8 | reference_sample = "62de04185c2e3c22af349479a68ad53c31b3874794e7c4f0f33e8d125c37f6b0" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { C4 10 89 45 D4 83 7D D4 00 79 1A 83 EC 0C 68 13 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Cerbu.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Cerbu_69d5657e { 2 | meta: 3 | id = "69d5657e-1fe9-4367-b478-218c278c7fbc" 4 | fingerprint = "7dfaebc6934c8fa97509831e0011f2befd0dbc24a68e4a07bc1ee0decae45a42" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Cerbu" 8 | reference_sample = "f10bf3cf2fdfbd365d3c2d8dedb2d01b85236eaa97d15370dbcb5166149d70e9" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { E8 5B 5E C9 C3 55 89 E5 83 EC 08 83 C4 FC FF 75 0C 6A 05 FF } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Godropper.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Godropper_bae099bd { 2 | meta: 3 | id = "bae099bd-c19a-4893-96e8-63132dabce39" 4 | fingerprint = "5a7b0906ebc47130aefa868643e1e0a40508fe7a25bc55e5c41ff284ca2751e5" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Godropper" 8 | reference_sample = "704643f3fd11cda1d52260285bf2a03bccafe59cfba4466427646c1baf93881e" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { FF FF FF FF 88 DB A2 31 03 A3 5A 5C 9A 19 0E DB } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Lady.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Lady_75f6392c { 2 | meta: 3 | id = "75f6392c-fc13-4abb-a391-b5f1ea1039d8" 4 | fingerprint = "da6d4dff230120eed94e04b0e6060713c2bc17da54c098e9a9f3ec7a8200b9bf" 5 | creation_date = "2022-01-05" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Trojan.Lady" 8 | reference_sample = "c257ac7bd3a9639e0d67a7db603d5bc8d8505f6f2107a26c2615c5838cf11826" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 57 72 69 00 49 3B 66 10 76 38 48 83 EC 18 48 89 6C 24 10 48 8D 6C } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Neshta.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Neshta_e856e9fb { 2 | meta: 3 | id = "e856e9fb-24b6-47bc-9e38-db50ff091aa9" 4 | fingerprint = "be36444e7cf3911d52960e28f83a04979b4669f56bc9fa7129ab852a1f17739b" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Neshta" 8 | reference_sample = "d69378cbb14d524f38a9b33ceeff22cfeb74ed481ffffa8aa279713d050588ae" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 6F 66 20 70 72 6F 63 65 73 73 65 73 20 28 72 65 63 6F 6D 6D } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Rozena.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Rozena_56651c1d { 2 | meta: 3 | id = "56651c1d-548e-4a51-8f1c-e4add55ec14f" 4 | fingerprint = "a86abe550b5c698a244e1c0721cded8df17d2c9ed0ee764d6dea36acf62393de" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Rozena" 8 | reference_sample = "997684fb438af3f5530b0066d2c9e0d066263ca9da269d6a7e160fa757a51e04" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 89 E1 95 68 A4 1A 70 C7 57 FF D6 6A 10 51 55 FF D0 68 A4 AD } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sdbot.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Sdbot_98628ea1 { 2 | meta: 3 | id = "98628ea1-40d8-4a05-835f-a5a5f83637cb" 4 | fingerprint = "15cf6b916dd87915738f3aa05a2955c78a357935a183c0f88092d808535625a5" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Sdbot" 8 | reference_sample = "5568ae1f8a1eb879eb4705db5b3820e36c5ecea41eb54a8eef5b742f477cbdd8" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 54 00 3C 08 54 00 02 00 26 00 00 40 4D 08 00 5C 00 50 00 49 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Torii.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Torii_fa253f2a { 2 | meta: 3 | id = "fa253f2a-d1a5-48b0-a3d6-aba06231e1ed" 4 | fingerprint = "fddf2a12f09add31fffc6b11bb3fe9e0666dae57ac8cef4dbbdee58f66df2c0a" 5 | creation_date = "2022-01-05" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Trojan.Torii" 8 | reference_sample = "19004f250b578b3b53273e8426285df2030fac0aee3227ef98e7fcbf2a8acb86" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 69 6D 65 00 47 4C 49 42 43 5F 32 2E 31 34 00 47 4C 49 42 43 5F } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_Dcom.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Exploit_Dcom_7a1bcec7 { 2 | meta: 3 | id = "7a1bcec7-e177-4adf-97a7-0d876bf65abc" 4 | fingerprint = "0abae84599e490056412d5a5ce1868ea118551243377d59cbb6ebd83701769b8" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Exploit.Dcom" 8 | reference_sample = "84073caf71d0e0523adeb96169c85b8f0bfea09e7ef3bf677bfc19d3b536d8a5" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { 20 62 79 20 46 6C 61 73 68 53 6B 79 20 61 6E 64 20 42 65 6E } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Asacub.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Asacub_d3c4aa41 { 2 | meta: 3 | id = "d3c4aa41-faae-4c85-bdc5-9e09483e92fb" 4 | fingerprint = "4961023c719599bd8da6b8a17dbe409911334c21b45d62385dd02a6dd35fd2be" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Asacub" 8 | reference_sample = "15044273a506f825859e287689a57c6249b01bb0a848f113c946056163b7e5f1" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 10 8B 0F 83 EC 08 50 57 FF 51 54 83 C4 10 8B 8B DC FF FF FF 89 4C } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Backegmm.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Backegmm_b59712e6 { 2 | meta: 3 | id = "b59712e6-d14d-4a57-a3d6-2dc323bf840d" 4 | fingerprint = "61b2f0c7cb98439b05776edeaf06b114d364119ebe733d924158792110c5e21c" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Backegmm" 8 | reference_sample = "d6c8e15cb65102b442b7ee42186c58fa69cd0cb68f4fd47eb5ad23763371e0be" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 69 73 74 65 6E 00 66 6F 72 6B 00 73 70 72 69 6E 74 66 00 68 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Badbee.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Badbee_231cb054 { 2 | meta: 3 | id = "231cb054-36a9-434f-8254-17fee38e5275" 4 | fingerprint = "ebe789fc467daf9276f72210f94e87b7fa79fc92a72740de49e47b71f123ed5c" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Badbee" 8 | reference_sample = "832ba859c3030e58b94398ff663ddfe27078946a83dcfc81a5ef88351d41f4e2" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 8D B4 41 31 44 97 10 83 F9 10 75 E4 89 DE C1 FE 14 F7 C6 01 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Banload.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Banload_d5e1c189 { 2 | meta: 3 | id = "d5e1c189-7d19-4f03-a4f3-a0aaf6d499dc" 4 | fingerprint = "4aa04f08005b1b7ed941dbfc563737728099e35e3f0f025532921b91b79c967c" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Banload" 8 | reference_sample = "48bf0403f777db5da9c6a7eada17ad4ddf471bd73ea6cf02817dd202b49204f4" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { E4 E4 E4 58 88 60 90 E4 E4 E4 E4 68 98 70 A0 E4 E4 E4 E4 78 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Bedevil.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Bedevil_a1a72c39 { 2 | meta: 3 | id = "a1a72c39-c8a3-4372-bd1d-de6360c9c19e" 4 | fingerprint = "ea4762d6ba0b88017feda1ed68d70bedd1438bb853b8ee1f83cbca2276bfbd1e" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Bedevil" 8 | reference_sample = "017a9d7290cf327444d23227518ab612111ca148da7225e64a9f6ebd253449ab" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 73 3A 20 1B 5B 31 3B 33 31 6D 25 64 1B 5B 30 6D 0A 00 1B 5B } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Chinaz.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Chinaz_a2140ca1 { 2 | meta: 3 | id = "a2140ca1-0a72-4dcb-bf7c-2f51e84a996b" 4 | fingerprint = "ac620f3617ea448b2ad62f06490c37200fa0af8a6fe75a6a2a294a7b5b4a634a" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Chinaz" 8 | reference_sample = "7c44c2ca77ef7a62446f6266a757817a6c9af5e010a219a43a1905e2bc5725b0" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { C0 53 8B 74 24 0C 8B 5C 24 10 8D 74 26 00 89 C2 89 C1 C1 FA 03 83 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Dnsamp.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Dnsamp_c31eebd4 { 2 | meta: 3 | id = "c31eebd4-7709-440d-95d1-f9a3071cc5ca" 4 | fingerprint = "220b656a51b3041ede4ffe8f509657c393ff100c88b401c802079aae5804dacd" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Dnsamp" 8 | reference_sample = "4b86de97819a49a90961d59f9c3ab9f8e57e19add9fe1237d2a2948b4ff22de6" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 45 F8 8B 40 14 48 63 D0 48 8D 45 E0 48 8D 70 04 48 8B 45 F8 48 8B } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Hiddad.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Hiddad_e35bff7b { 2 | meta: 3 | id = "e35bff7b-1a93-4cfd-a4b6-1e994c0afa98" 4 | fingerprint = "0ed46ca8a8bd567acf59d8a15a9597d7087975e608f42af57d36c31e777bb816" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Hiddad" 8 | reference_sample = "22a418e660b5a7a2e0cc1c1f3fe1d150831d75c4fedeed9817a221194522efcf" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 3C 14 48 63 CF 89 FE 48 69 C9 81 80 80 80 C1 FE 1F 48 C1 E9 20 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Mechbot.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Mechbot_f2e1c5aa { 2 | meta: 3 | id = "f2e1c5aa-3318-4665-bee4-34a4afcf60bd" 4 | fingerprint = "4b663b0756f2ae9b43eae29cd0225ad75517ef345982e8fdafa61f3c3db2d9f5" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Mechbot" 8 | reference_sample = "5f8e80e6877ff2de09a12135ee1fc17bee8eb6d811a65495bcbcddf14ecb44a3" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 45 52 56 45 52 00 42 41 4E 4C 49 53 54 00 42 4F 4F 54 00 42 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Morpes.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Morpes_d2ae1edf { 2 | meta: 3 | id = "d2ae1edf-7dd3-4506-96e0-039c8f00d688" 4 | fingerprint = "a4cedb0ef6c9c5121ee63c0c8f6bb8072f62b5866c916c7000d94999cd61b9b5" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Morpes" 8 | reference_sample = "14c4c297388afe4be47be091146aea6c6230880e9ea43759ef29fc1471c4b86b" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 64 B0 05 00 00 B0 05 00 00 B0 05 00 00 3C 00 00 00 3C 00 00 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Pidief.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Pidief_635667d1 { 2 | meta: 3 | id = "635667d1-4b51-4e18-9e6b-5873194ce4f1" 4 | fingerprint = "29e1795f941990ca18fbe61154d3cfe23d43d13af298e763cd40fb9c40d7204e" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Pidief" 8 | reference_sample = "e27ad676ae12188de7a04a3781aa487c11bab01d7848705bac5010d2735b19cf" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 06 4C 89 F7 FF 50 10 48 8B 45 00 48 89 EF FF 50 10 85 DB 75 15 4D } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Pnscan.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Pnscan_20e34e35 { 2 | meta: 3 | id = "20e34e35-8639-4a0d-bfe3-6bfa1570f14d" 4 | fingerprint = "07678bd23ae697d42e2c7337675f7a50034b10ec7a749a8802820904a943641a" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Pnscan" 8 | reference_sample = "7dbd5b709f16296ba7dac66dc35b9c3373cf88452396d79d0c92d7502c1b0005" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 4C 00 54 45 4C 20 3A 20 00 3C 49 41 43 3E 00 3C 44 4F 4E 54 3E 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sfloost.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Sfloost_69a5343a { 2 | meta: 3 | id = "69a5343a-4885-4d88-9eaf-ddfcc95e1f39" 4 | fingerprint = "c19368bf04e4b67537a8573b5beba56bab8bcfdf870640ef5bd46d40735ee539" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Sfloost" 8 | reference_sample = "c0cd73db5165671c7bbd9493c34d693d25b845a9a21706081e1bf44bf0312ef9" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 0F 83 C8 50 88 43 0C 0F B6 45 F0 66 C7 43 10 00 00 66 C7 43 12 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Shark.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Shark_b918ab75 { 2 | meta: 3 | id = "b918ab75-0701-4865-b798-521fdd2ffc28" 4 | fingerprint = "15205d58af99b8eae14de2d5762fdc710ef682839967dd56f6d65bd3deaa7981" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Shark" 8 | reference_sample = "8b6fe9f496996784e42b75fb42702aa47aefe32eac6f63dd16a0eb55358b6054" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 26 00 C7 46 14 0A 00 00 00 C7 46 18 15 00 00 00 EB 30 C7 46 14 04 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Shellbot.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Shellbot_65aa6568 { 2 | meta: 3 | id = "65aa6568-491a-4a51-b921-c6c228cfca11" 4 | fingerprint = "2cd606ecaf17322788a5ee3b6bd663bed376cef131e768bbf623c402664e9270" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Shellbot" 8 | reference_sample = "457d1f4e1db41a9bdbfad78a6815f42e45da16ad0252673b9a2b5dcefc02c47b" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 72 00 73 74 72 63 6D 70 00 70 61 6D 5F 70 72 6F 6D 70 74 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Skidmap.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Skidmap_aa7b661d { 2 | meta: 3 | id = "aa7b661d-0ecc-4171-a0c2-a6c0c91b6d27" 4 | fingerprint = "0bd6bec14d4b0205b04c6b4f34988ad95161f954a1f0319dd33513cb2c7e5f59" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Skidmap" 8 | reference_sample = "4282ba9b7bee69d42bfff129fff45494fb8f7db0e1897fc5aa1e4265cb6831d9" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { E8 41 41 80 F8 1A 41 0F 43 C1 88 04 0E 48 83 C1 01 0F B6 04 0F } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Rootkit_R77.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Rootkit_R77_5bab748b { 2 | meta: 3 | id = "5bab748b-8576-4967-9b50-a3778db1dd71" 4 | fingerprint = "2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa" 5 | creation_date = "2022-03-04" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Rootkit.R77" 8 | reference_sample = "cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_CaesarKbd.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_CaesarKbd_32bb198b { 2 | meta: 3 | id = "32bb198b-ec03-4628-8e9b-bc36c2525ec7" 4 | fingerprint = "54ed92761bb619ae4dcec9c27127d6c2a74a575916249cd5db24b8deb2ee0588" 5 | creation_date = "2022-04-04" 6 | last_modified = "2022-06-09" 7 | threat_name = "Windows.Trojan.CaesarKbd" 8 | reference_sample = "d4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $str1 = "CaesarKbd_IOCtrl" 16 | condition: 17 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Backdoor_Python.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Backdoor_Python_00606bac { 2 | meta: 3 | id = "00606bac-83eb-4a58-82d2-e4fd16d30846" 4 | fingerprint = "cce1d0e7395a74c04f15ff95f6de7fd7d5f46ede83322b832df74133912c0b17" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Backdoor.Python" 8 | reference_sample = "b3e3728d43535f47a1c15b915c2d29835d9769a9dc69eb1b16e40d5ba1b98460" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { F4 01 83 45 F8 01 8B 45 F8 0F B6 00 84 C0 75 F2 83 45 F8 01 8B } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Intfour.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Intfour_0ca45cd3 { 2 | meta: 3 | id = "0ca45cd3-089c-4d7f-9088-dc972c14bd9d" 4 | fingerprint = "8926a8cfd7f3adf29e399a945592063039b80dcc0545b133b453aaf198d31461" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.Intfour" 8 | reference_sample = "9d32c5447aa5182b4be66b7a283616cf531a2fd3ba3dde1bc363b24d8b22682f" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 6D 28 63 6F 64 65 2C 20 31 30 32 34 2C 20 26 6E 65 65 64 6C 65 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Arkd.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Rootkit_Arkd_bbd56917 { 2 | meta: 3 | id = "bbd56917-aeab-4e73-b85b-adc41fc7ffe4" 4 | fingerprint = "73c8b2685b6b568575afca3c3c2fe2095d94f2040f4a1207974fe77bbb657163" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Rootkit.Arkd" 8 | reference_sample = "e0765f0e90839b551778214c2f9ae567dd44838516a3df2c73396a488227a600" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 7D 0B B8 FF FF FF FF EB 11 8D 74 26 00 39 C1 7F 04 31 C0 EB 05 B8 01 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Adlibrary.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Adlibrary_0287a105 { 2 | meta: 3 | id = "0287a105-a1ba-4256-bfcf-aad40e6070ed" 4 | fingerprint = "bb12e72441f87971febb50141e3f520c1858220b081c2b0587dd8f1fac29b4ed" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Adlibrary" 8 | reference_sample = "acb22b88ecfb31664dc07b2cb3490b78d949cd35a67f3fdcd65b1a4335f728f1" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 07 2A 00 00 F4 9F 01 00 07 2B 00 00 F8 9F 01 00 07 2C 00 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Virus_Staffcounter.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Virus_Staffcounter_d2d608a8 { 2 | meta: 3 | id = "d2d608a8-2d65-4b10-be71-0a0a6a027920" 4 | fingerprint = "a791024dc3064ed2e485e5c57d7ab77fc1ec14665c9302b8b572ac4d9d5d2f93" 5 | creation_date = "2021-06-28" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Virus.Staffcounter" 8 | reference = "06e562b54b7ee2ffee229c2410c9e2c42090e77f6211ce4b9fa26459ff310315" 9 | severity = "100" 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 20 22 00 20 4C 69 6E 75 78 22 20 3C 00 54 6F 3A 20 22 00 20 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Farfli.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Farfli_85d1bcc9 { 2 | meta: 3 | id = "85d1bcc9-c3c7-454c-a77f-0e0de933c4c3" 4 | fingerprint = "56a5e4955556d08b80849ea5775f35f5a32999d6b5df92357ab142a4faa74ac3" 5 | creation_date = "2022-02-17" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.Farfli" 8 | reference_sample = "e3e9ea1b547cc235e6f1a78b4ca620c69a54209f84c7de9af17eb5b02e9b58c3" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { AB 66 AB C6 45 D4 25 C6 45 D5 73 C6 45 D6 5C C6 45 D7 25 C6 45 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Bscope.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Cryptominer_Bscope_348b7fa0 { 2 | meta: 3 | id = "348b7fa0-e226-4350-8697-345ae39fa0f6" 4 | fingerprint = "caae9d3938f9269f8bc30e4837021513ca6e4e2edd1117d235b0d25474df5357" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Cryptominer.Bscope" 8 | reference_sample = "a6fb80d77986e00a6b861585bd4e573a927e970fb0061bf5516f83400ad7c0db" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 04 8B 00 03 45 C0 89 02 8B 45 08 8D 50 08 8B 45 08 83 C0 08 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Ursu.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Cryptominer_Ursu_3c05f8ab { 2 | meta: 3 | id = "3c05f8ab-d1b8-424b-99b7-1fe292ae68ff" 4 | fingerprint = "463d4f675589e00284103ef53d0749539152bbc3772423f89a788042805b3a21" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Cryptominer.Ursu" 8 | reference_sample = "d72361010184f5a48386860918052dbb8726d40e860ea0287994936702577956" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 64 55 4C 2C 20 0A 09 30 78 33 30 32 38 36 30 37 38 32 38 37 38 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Xpaj.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Cryptominer_Xpaj_fdbd614e { 2 | meta: 3 | id = "fdbd614e-e628-43ff-86d4-1057f9d544ac" 4 | fingerprint = "456b69d4035aa2d682ba081c2f7b24c696f655ec164645f83c9aef5bd262f510" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Cryptominer.Xpaj" 8 | reference_sample = "3e2b1b36981713217301dd02db33fb01458b3ff47f28dfdc795d8d1d332f13ea" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 72 72 6F 72 3A 20 47 65 74 25 73 20 74 65 6D 70 20 72 65 74 75 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Zexaf.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Cryptominer_Zexaf_b90e7683 { 2 | meta: 3 | id = "b90e7683-84bf-4c07-b6ef-54c631280217" 4 | fingerprint = "4ca9fad98bdde19f71c117af9cb87007dc46494666e7664af111beded1100ae4" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Cryptominer.Zexaf" 8 | reference_sample = "98650ebb7e463a06e737bcea4fd2b0f9036fafb0638ba8f002e6fe141b9fecfe" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 89 F2 C1 E7 18 C1 E2 18 C1 ED 08 09 D5 C1 EE 08 8B 14 24 09 FE } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Hive.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Ransomware_Hive_bdc7de59 { 2 | meta: 3 | id = "bdc7de59-bf12-461f-99e0-ec2532ace4e9" 4 | fingerprint = "415ef589a1c2da6b16ab30fb68f938a9ee7917f5509f73aa90aeec51c10dc1ff" 5 | creation_date = "2022-01-05" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Ransomware.Hive" 8 | reference_sample = "713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 40 03 4C 39 C1 73 3A 4C 89 84 24 F0 00 00 00 48 89 D3 48 89 CF 4C } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Dakkatoni.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Rootkit_Dakkatoni_010d3ac2 { 2 | meta: 3 | id = "010d3ac2-0bb2-4966-bf5f-fd040ba07311" 4 | fingerprint = "2c7935079dc971d2b8a64c512ad677e946ff45f7f1d1b62c3ca011ebde82f13b" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Rootkit.Dakkatoni" 8 | reference_sample = "38b2d033eb5ce87faa4faa7fcac943d9373e432e0d45e741a0c01d714ee9d4d3" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 89 C8 C1 E0 0D 31 C1 89 CE 83 E6 03 83 C6 05 89 C8 31 D2 C1 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Azeela.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Azeela_aad9d6cc { 2 | meta: 3 | id = "aad9d6cc-32ff-431a-9914-01c7adc80877" 4 | fingerprint = "3b7c73a378157350344d52acd6c210d5924cf55081b386d0d60345e4c44c5921" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Azeela" 8 | reference_sample = "6c476a7457ae07eca3d3d19eda6bb6b6b3fa61fa72722958b5a77caff899aaa6" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { C0 74 07 B8 01 00 00 00 EB 31 48 8B 45 F8 0F B6 00 3C FF 74 21 48 83 45 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Connectback.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Connectback_bf194c93 { 2 | meta: 3 | id = "bf194c93-92d8-4eba-99c4-326a5ea76d0d" 4 | fingerprint = "6e72b14be0a0a6e42813fa82ee77d057246ccba4774897b38acf2dc30c894023" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Connectback" 8 | reference_sample = "6784cb86460bddf1226f71f5f5361463cbda487f813d19cd88e8a4a1eb1a417b" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { B6 0C B0 03 CD 80 85 C0 78 02 FF E1 B8 01 00 00 00 BB 01 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Mumblehard.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Mumblehard_523450aa { 2 | meta: 3 | id = "523450aa-6bb4-4863-9656-81a6e6cb7d88" 4 | fingerprint = "783f07e4f4625c061309af2d89e9ece0ba4a8ce21a7d93ce19cd32bcd6ad38e9" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Mumblehard" 8 | reference_sample = "a637ea8f070e1edf2c9c81450e83934c177696171b24b4dff32dfb23cefa56d3" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 09 75 05 89 03 89 53 04 B8 02 00 00 00 50 80 F9 09 75 0B CD 80 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Pornoasset.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Pornoasset_927f314f { 2 | meta: 3 | id = "927f314f-2cbb-4f87-b75c-9aa5ef758599" 4 | fingerprint = "7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Pornoasset" 8 | reference_sample = "d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Rotajakiro.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Rotajakiro_fb24f399 { 2 | meta: 3 | id = "fb24f399-d2bc-4cca-a3b8-4d924f11c83e" 4 | fingerprint = "6b19a49c93a0d3eb380c78ca21ce4f4d2991c35e68d2b75e173dc25118ba2c20" 5 | creation_date = "2021-06-28" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Rotajakiro" 8 | reference = "023a7f9ed082d9dd7be6eba5942bfa77f8e618c2d15a8bc384d85223c5b91a0c" 9 | severity = "100" 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 41 56 41 55 41 54 49 89 FD 55 53 48 63 DE 48 83 EC 08 0F B6 17 80 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sambashell.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Sambashell_f423755d { 2 | meta: 3 | id = "f423755d-60ec-4442-beb1-0820df0fe00b" 4 | fingerprint = "ea13320c358cadc8187592de73ceb260a00f28907567002d4f093be21f111f74" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Sambashell" 8 | reference_sample = "bd8a3728a59afbf433799578ef597b9a7211c8d62e87a25209398814851a77ea" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 00 01 00 00 00 FC 0E 00 00 FC 1E 00 00 FC 1E 00 00 74 28 00 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Backdoor_Applejeus.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Backdoor_Applejeus_31872ae2 { 2 | meta: 3 | id = "31872ae2-f6df-4079-89c2-866cb2e62ec8" 4 | fingerprint = "24b78b736f691e6b84ba88b0bb47aaba84aad0c0e45cf70f2fa8c455291517df" 5 | creation_date = "2021-10-18" 6 | last_modified = "2021-10-25" 7 | threat_name = "MacOS.Backdoor.Applejeus" 8 | reference_sample = "e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $a = { FF CE 74 12 89 F0 31 C9 80 34 0F 63 48 FF C1 48 39 C8 75 F4 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Virus_Pirrit.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Virus_Pirrit_271b8ed0 { 2 | meta: 3 | id = "271b8ed0-937a-4be6-aecb-62535b5aeda7" 4 | fingerprint = "12b09b2e3a43905db2cfe96d0fd0e735cfc7784ee7b03586c5d437d7c6a1b422" 5 | creation_date = "2021-10-05" 6 | last_modified = "2021-10-25" 7 | threat_name = "MacOS.Virus.Pirrit" 8 | reference_sample = "7feda05d41b09c06a08c167c7f4dde597ac775c54bf0d74a82aa533644035177" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $a = { 35 4A 6A 00 00 32 80 35 44 6A 00 00 75 80 35 3E 6A 00 00 1F 80 35 38 6A 00 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Lucifer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Lucifer_ce9d4cc8 { 2 | meta: 3 | id = "ce9d4cc8-8f16-4272-a54b-e500d4edea9b" 4 | fingerprint = "77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55" 5 | creation_date = "2022-02-17" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.Lucifer" 8 | reference_sample = "1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Lurker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Lurker_0ee51802 { 2 | meta: 3 | id = "0ee51802-4ff3-4edf-95ed-bb0338ff25d9" 4 | fingerprint = "c30bc4e25c1984268a3bb44c59081131d1e81254b94734f6af2b47969c0acd0e" 5 | creation_date = "2022-04-04" 6 | last_modified = "2022-06-09" 7 | threat_name = "Windows.Trojan.Lurker" 8 | reference_sample = "5718fd4f807e29e48a8b6a6f4484426ba96c61ec8630dc78677686e0c9ba2b87" 9 | severity = 50 10 | arch_context = "x86" 11 | scan_context = "file" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $str1 = "\\Device\\ZHWLurker0410" wide fullword 16 | condition: 17 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Casdet.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Cryptominer_Casdet_5d0d33be { 2 | meta: 3 | id = "5d0d33be-e53e-4188-9957-e1af2a802867" 4 | fingerprint = "2d584f6815093d37bd45a01146034d910b95be51462f01f0d4fc4a70881dfda6" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Cryptominer.Casdet" 8 | reference_sample = "4b09115c876a8b610e1941c768100e03c963c76b250fdd5b12a74253ef9e5fb6" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { C3 EB 05 48 89 C3 EB CF 48 8B BC 24 A0 00 00 00 48 85 FF 74 D7 48 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Minertr.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Cryptominer_Minertr_9901e275 { 2 | meta: 3 | id = "9901e275-3053-47ea-8c36-6c9271923b64" 4 | fingerprint = "f27e404d545f3876963fd6174c4235a4fe4f69d53fe30a2d29df9dad6d97b7f7" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Cryptominer.Minertr" 8 | reference_sample = "f77246a93782fd8ee40f12659f41fccc5012a429a8600f332c67a7c2669e4e8f" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 41 56 41 55 41 54 55 53 48 83 EC 78 48 89 3C 24 89 F3 89 74 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Gonnacry.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Ransomware_Gonnacry_53c3832d { 2 | meta: 3 | id = "53c3832d-ceff-407d-920b-7b6442688fa9" 4 | fingerprint = "7d93c26c9e069af5cef964f5747104ba6d1d0d030a1f6b1c377355223c5359a1" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Ransomware.Gonnacry" 8 | reference_sample = "f5de75a6db591fe6bb6b656aa1dcfc8f7fe0686869c34192bfa4ec092554a4ac" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 55 48 89 E5 48 83 EC 10 48 89 7D F8 EB 56 48 8B 45 F8 48 8B } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Backconnect.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Backconnect_c6803b39 { 2 | meta: 3 | id = "c6803b39-e2e0-4ab8-9ead-e53eab26bb53" 4 | fingerprint = "1dfb097c90b0cf008dc9d3ae624e08504755222f68ee23ed98d0fa8803cff91a" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Backconnect" 8 | reference_sample = "a5e6b084cdabe9a4557b5ff8b2313db6c3bb4ba424d107474024030115eeaa0f" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 78 3A 48 98 48 01 C3 49 01 C5 48 83 FB 33 76 DC 31 C9 BA 10 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Merlin.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Merlin_55beddd3 { 2 | meta: 3 | id = "55beddd3-735b-4e0c-a387-e6a981cd42a3" 4 | fingerprint = "54e03337930d74568a91e797cfda3b7bfbce3aad29be2543ed58c51728d8e185" 5 | creation_date = "2022-01-05" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Trojan.Merlin" 8 | reference_sample = "15ccdf2b948fe6bd3d3a7f5370e72cf3badec83f0ec7f47cdf116990fb551adf" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { AF F0 4C 01 F1 4C 8B B4 24 A8 00 00 00 4D 0F AF F4 4C 01 F1 4C 8B B4 24 B0 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Fplayer.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Trojan_Fplayer_1c1fae37 { 2 | meta: 3 | id = "1c1fae37-8d19-4129-a715-b78163f93fd2" 4 | fingerprint = "abeb3cd51c0ff2e3173739c423778defb9a77bc49b30ea8442e6ec93a2d2d8d2" 5 | creation_date = "2021-10-05" 6 | last_modified = "2021-10-25" 7 | threat_name = "MacOS.Trojan.Fplayer" 8 | reference_sample = "f57e651088dee2236328d09705cef5e98461e97d1eb2150c372d00ca7c685725" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $a = { 56 41 55 41 54 53 48 83 EC 48 4D 89 C4 48 89 C8 48 89 D1 49 89 F6 49 89 FD 49 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Generic.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Trojan_Generic_a829d361 { 2 | meta: 3 | id = "a829d361-ac57-4615-b8e9-16089c44d7af" 4 | fingerprint = "5dba43dbc5f4d5ee295e65d66dd4e7adbdb7953232faf630b602e6d093f69584" 5 | creation_date = "2021-10-05" 6 | last_modified = "2021-10-25" 7 | threat_name = "MacOS.Trojan.Generic" 8 | reference_sample = "5b2a1cd801ae68a890b40dbd1601cdfeb5085574637ae8658417d0975be8acb5" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $a = { E7 81 6A 12 EA A8 56 6C 86 94 ED F6 E8 D7 35 E1 EC 65 47 BA 8E 46 2C A6 14 5F } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Cryptominer_Generic.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Cryptominer_Generic_dd1e4d1a { 2 | meta: 3 | id = "dd1e4d1a-2e2f-4af0-bd66-2e12367dd064" 4 | fingerprint = "a00e3e08e11d10a7a4bf1110a5110e4d0a4d2acf0974aca9dfc1ad5f21c80df7" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Cryptominer.Generic" 8 | reference_sample = "7ac1d7b6107307fb2442522604c8fa56010d931392d606ac74dcea6b7125954b" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { EF F9 66 0F EF FA 66 0F FE FE 66 0F 6F B0 B0 00 00 00 66 0F } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_Eternalblue.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Exploit_Eternalblue_ead33bf8 { 2 | meta: 3 | id = "ead33bf8-1870-4d01-a223-edcbe262542f" 4 | fingerprint = "9e3b5f4f0b8ac683544886abbd9eecbf0253a7992ee5d99c453de67b9aacdccd" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Exploit.Eternalblue" 8 | reference_sample = "a1340e418c80be58fb6bbb48d4e363de8c6d62ea59730817d5eda6ba17b2c7a7" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { F8 31 C9 EB 0B 40 8A 3C 0E 40 88 3C 08 48 FF C1 48 39 D1 75 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Rook.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Rook_ee21fa67 { 2 | meta: 3 | id = "ee21fa67-bd82-40fb-9c6d-bab5abfe14b3" 4 | fingerprint = "8ef731590e73f79a13d04db39e58b03d0a29fd8e46a0584b0fcaf57ac0efe473" 5 | creation_date = "2022-01-14" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Ransomware.Rook" 8 | reference_sample = "c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { 01 75 09 8B C3 FF C3 48 89 74 C5 F0 48 FF C7 48 83 FF 1A 7C DB } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Attribute.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Cryptominer_Attribute_3683d149 { 2 | meta: 3 | id = "3683d149-fa9c-4dbb-85b9-8ce2b1d1d128" 4 | fingerprint = "31f45578eab3c94cff52056a723773d41aaad46d529b1a2063a0610d5948a633" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Cryptominer.Attribute" 8 | reference_sample = "ec9e74d52d745275718fe272bfd755335739ad5f680f73f5a4e66df6eb141a63" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 20 74 6F 20 66 61 73 74 29 20 6F 72 20 39 20 28 61 75 74 6F } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Miancha.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Cryptominer_Miancha_646803ef { 2 | meta: 3 | id = "646803ef-e8a5-46e2-94a5-dcc6cb41cead" 4 | fingerprint = "b22f87b60c19855c3ac622bc557655915441f5e12c7d7c27c51c05e12c743ee5" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Cryptominer.Miancha" 8 | reference_sample = "4c7761c9376ed065887dc6ce852491641419eb2d1f393c37ed0a5cb29bd108d4" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 6F DC 66 0F 73 FB 04 66 0F EF C1 66 0F 6F D3 66 0F EF C7 66 0F 6F } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Downloader_Generic.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Downloader_Generic_0bd15ae0 { 2 | meta: 3 | id = "0bd15ae0-e4fe-48a9-84a6-f8447b467651" 4 | fingerprint = "67e14ea693baee8437157f6e450ac5e469b1bab7d9ff401493220575aae9bc91" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Downloader.Generic" 8 | reference_sample = "e511efb068e76a4a939c2ce2f2f0a089ef55ca56ee5f2ba922828d23e6181f09" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 89 D0 83 C0 01 EB 05 B8 FF FF FF FF 48 8B 5D E8 64 48 33 1C 25 28 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2009_1897.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_CVE_2009_1897_6cf0a073 { 2 | meta: 3 | id = "6cf0a073-571e-48ef-be58-807bff1a5e97" 4 | fingerprint = "8fcb3687d4ec5dd467d937787f0659448a91446f92a476ff7ba471a02d6b07a9" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.CVE-2009-1897" 8 | reference_sample = "85f371bf73ee6d8fcb6fa9a8a68b38c5e023151257fd549855c4c290cc340724" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 31 C0 85 DB 78 28 45 31 C9 41 89 D8 B9 02 00 00 00 BA 01 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2009_2908.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_CVE_2009_2908_406c2fef { 2 | meta: 3 | id = "406c2fef-0f1a-441a-96b9-e4168c283c90" 4 | fingerprint = "94a94217823a8d682ba27889ba2b53fef7b18ae14d75a73456f21184e51581cf" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.CVE-2009-2908" 8 | reference_sample = "1e05a23f5b3b9cfde183aec26b723147e1816b95dc0fb7f9ac57376efcb22fcd" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 74 00 66 70 72 69 6E 74 66 00 66 77 72 69 74 65 00 64 65 73 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2016_4557.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_CVE_2016_4557_b7e15f5e { 2 | meta: 3 | id = "b7e15f5e-73d2-4718-8fac-e6a285b0c73c" 4 | fingerprint = "14baf456521fd7357a70ddde9da11f27d17a45d7d12c70a0101d6bdc45e30c74" 5 | creation_date = "2022-01-05" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Exploit.CVE-2016-4557" 8 | reference_sample = "bbed2f81104b5eb4a8475deff73b29a350dc8b0f96dcc4987d0112b993675271" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 2E 20 69 66 20 74 68 69 73 20 77 6F 72 6B 65 64 2C 20 79 6F } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Aobokeylogger.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Trojan_Aobokeylogger_bd960f34 { 2 | meta: 3 | id = "bd960f34-1932-41be-ac0a-f45ada22c560" 4 | fingerprint = "ae26a03d1973669cbeaabade8f3fd09ef2842b9617fa38e7b66dc4726b992a81" 5 | creation_date = "2021-10-18" 6 | last_modified = "2021-10-25" 7 | threat_name = "MacOS.Trojan.Aobokeylogger" 8 | reference_sample = "2b50146c20621741642d039f1e3218ff68e5dbfde8bb9edaa0a560ca890f0970" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $a = { 20 74 68 61 6E 20 32 30 30 20 6B 65 79 73 74 72 6F 6B 65 73 20 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Getshell.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Trojan_Getshell_f339d74c { 2 | meta: 3 | id = "f339d74c-36f1-46e5-bf7d-22f49a0948a5" 4 | fingerprint = "fad5ca4f345c2c01a3d222f59bac8d5dacf818d4e018c8d411d86266a481a1a1" 5 | creation_date = "2021-10-05" 6 | last_modified = "2021-10-25" 7 | threat_name = "MacOS.Trojan.Getshell" 8 | reference_sample = "b2199c15500728a522c04320aee000938f7eb69d751a55d7e51a2806d8cd0fe7" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $a = { 00 00 FF E0 E8 00 00 00 00 58 8B 80 4B 22 00 00 FF E0 55 89 E5 53 83 EC 04 E8 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Conti.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Conti_89f3f6fa { 2 | meta: 3 | id = "89f3f6fa-492c-40e3-a4aa-a526004197b2" 4 | fingerprint = "a82331eba3cbd52deb4bed5e11035ac1e519ec27931507f582f2985865c0fb1a" 5 | creation_date = "2021-08-05" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Ransomware.Conti" 8 | reference_sample = "eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { F7 FE 88 57 FF 83 EB 01 75 DA 8B 45 FC 5F 5B 40 5E 8B E5 5D C3 8D } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Merlin.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Merlin_e8ecb3be { 2 | meta: 3 | id = "e8ecb3be-edba-4617-b4df-9d5b6275d310" 4 | fingerprint = "54e03337930d74568a91e797cfda3b7bfbce3aad29be2543ed58c51728d8e185" 5 | creation_date = "2022-01-05" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.Merlin" 8 | reference_sample = "768c120e63d3960a0842dcc538749955ab7caabaeaf3682f6d1e30666aac65a8" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { AF F0 4C 01 F1 4C 8B B4 24 A8 00 00 00 4D 0F AF F4 4C 01 F1 4C 8B B4 24 B0 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Presenoker.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Cryptominer_Presenoker_3bb5533d { 2 | meta: 3 | id = "3bb5533d-4722-4801-9fbb-dd2c916cffc6" 4 | fingerprint = "a3005a07901953ae8def7bd9d9ec96874da0a8aedbebde536504abed9d4191fd" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Cryptominer.Presenoker" 8 | reference_sample = "bbc155c610c7aa439f98e32f97895d7eeaef06dab7cca05a5179b0eb3ba3cc00" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 47 10 74 72 F3 0F 6F 00 66 0F 7E C2 0F 29 04 24 85 D2 F3 0F 6F } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2017_100011.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_CVE_2017_100011_21025f50 { 2 | meta: 3 | id = "21025f50-93af-4ea7-bdcb-ab4e210b8ac6" 4 | fingerprint = "a50c81daf4f081d7ddf61d05ab64d8fada5c4d6cdf8d28eb30c689e868d905aa" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.CVE-2017-100011" 8 | reference_sample = "32db88b2c964ce48e6d1397ca655075ea54ce298340af55ea890a2411a67d554" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 5D 20 64 6F 6E 65 2C 20 6B 65 72 6E 65 6C 20 74 65 78 74 3A } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2018_10561.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_CVE_2018_10561_0f246e33 { 2 | meta: 3 | id = "0f246e33-0e98-4778-8a2f-14876d1a0efe" 4 | fingerprint = "718b66d3d65d31f0908c8f7d7aee8113e9b51cb576cd725bbca1a23d3ccd4d72" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.CVE-2018-10561" 8 | reference_sample = "eac08c105495e6fadd8651d2e9e650b6feba601ec78f537b17fb0e73f2973a1c" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 0B DF 0B 75 87 8C 5C 03 03 7A 4B 7A 95 4A A5 D2 13 6A 6A 5A 5A } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2019_13272.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_CVE_2019_13272_583dd2c0 { 2 | meta: 3 | id = "583dd2c0-9e94-4d38-bdff-e6c3b7c7d594" 4 | fingerprint = "afc96d47ad2564f69d2fb9a39e882bfc5b4879f0a8abbf36d5e3af6a52dccd63" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.CVE-2019-13272" 8 | reference_sample = "3191b9473f3e59f55e062e6bdcfe61b88974602c36477bfa6855ccd92ff7ca83" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 48 89 85 40 FF FF FF 48 8B 45 D8 48 83 C0 20 48 89 85 38 FF } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DBatLoader.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DBatLoader_f93a8e90 { 2 | meta: 3 | id = "f93a8e90-10ac-44de-ac3b-c0e976628e98" 4 | fingerprint = "81b87663fbad9854430e5c4dcade464a15b995e645f9993a3e234593ee4df901" 5 | creation_date = "2022-03-11" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.DBatLoader" 8 | reference_sample = "f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { FF 00 74 17 8B 45 E8 0F B6 7C 18 FF 66 03 7D EC 66 0F AF 7D F4 66 03 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2014_3153.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_CVE_2014_3153_1c1e02ad { 2 | meta: 3 | id = "1c1e02ad-eb06-4eb6-a424-0f1dd6eebb2a" 4 | fingerprint = "a0a82cd15713be3f262021d6ed6572a0d4763ccfd0499e6b9374764c89705c2a" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Exploit.CVE-2014-3153" 8 | reference_sample = "64b8c61b73f0c0c0bd44ea5c2bcfb7b665fcca219dbe074a4a16ae20cd565812" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 55 48 89 E5 48 83 EC 40 48 89 7D C8 48 8D 4D D0 48 8B 45 C8 BA 24 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Infectionmonkey.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Hacktool_Infectionmonkey_6c84537b { 2 | meta: 3 | id = "6c84537b-6aa1-40d5-b14c-f78d7e67823d" 4 | fingerprint = "e9275f5fd8df389a4c99f69c09df1e3e515d8b958616e6d4d2c82d693deb4908" 5 | creation_date = "2022-01-05" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Hacktool.Infectionmonkey" 8 | reference_sample = "d941943046db48cf0eb7f11e144a79749848ae6b50014833c5390936e829f6c3" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 75 14 8B 54 24 0C 83 FA FF 0F 44 D0 83 C4 1C 89 D0 C3 8D 74 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Sodinokibi.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Ransomware_Sodinokibi_2883d7cd { 2 | meta: 3 | id = "2883d7cd-fd3b-47a5-9283-a40335172c62" 4 | fingerprint = "d6570a8e9358cef95388a72b2e7f747ee5092620c4f92a4b4e6c1bb277e1cb36" 5 | creation_date = "2022-01-05" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Ransomware.Sodinokibi" 8 | reference_sample = "a322b230a3451fd11dcfe72af4da1df07183d6aaf1ab9e062f0e6b14cf6d23cd" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 85 08 FF FF FF 48 01 85 28 FF FF FF 48 8B 85 08 FF FF FF 48 29 85 20 FF } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_ArkeiStealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_ArkeiStealer_84c7086a { 2 | meta: 3 | id = "84c7086a-abc3-4b97-b325-46a078b90a95" 4 | fingerprint = "f1d701463b0001de8996b30d2e36ddecb93fe4ca2a1a26fc4fcdaeb0aa3a3d6d" 5 | creation_date = "2022-02-17" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.ArkeiStealer" 8 | reference_sample = "708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { 01 89 55 F4 8B 45 F4 3B 45 10 73 31 8B 4D 08 03 4D F4 0F BE 19 8B } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Limerat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Limerat_24269a79 { 2 | meta: 3 | id = "24269a79-0172-4da5-9b4d-f61327072bf0" 4 | fingerprint = "cb714cd787519216d25edaad9f89a9c0ce1b8fbbbcdf90bda4c79f5d85fdf381" 5 | creation_date = "2021-08-17" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Trojan.Limerat" 8 | reference_sample = "ec781a714d6bc6fac48d59890d9ae594ffd4dbc95710f2da1f1aa3d5b87b9e01" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr \"'" wide fullword 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Exploitscan.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Hacktool_Exploitscan_4327f817 { 2 | meta: 3 | id = "4327f817-cb11-480f-aba7-4d5170c77758" 4 | fingerprint = "3f70c8ef8f20f763dcada4353c254fe1df238829ce590fb87c279d8a892cf9c4" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Hacktool.Exploitscan" 8 | reference_sample = "66c6d0e58916d863a1a973b4f5cb7d691fbd01d26b408dbc8c74f0f1e4088dfb" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 24 08 8B 4C 24 0C 85 C0 74 20 8B 58 20 84 03 83 C3 10 8B 68 24 89 9C 24 DC 00 } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_AttackSimulation_Hovercraft.yar: -------------------------------------------------------------------------------- 1 | rule Windows_AttackSimulation_Hovercraft_f5c7178f { 2 | meta: 3 | id = "f5c7178f-9a3f-463d-96a7-0a82cbed9ba2" 4 | fingerprint = "8965ab173fd09582c9e77e7c54c9722b91b71ecbe42c4f8a8cc87d9a780ffe8c" 5 | creation_date = "2022-05-23" 6 | last_modified = "2022-07-18" 7 | threat_name = "Windows.AttackSimulation.Hovercraft" 8 | reference = "046645b2a646c83b4434a893a0876ea9bd51ae05e70d4e72f2ccc648b0f18cb6" 9 | severity = 1 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "MyHovercraftIsFullOfEels" wide fullword 16 | $a2 = "WinHttp.dll" fullword 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Xpertrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Xpertrat_ce03c41d { 2 | meta: 3 | id = "ce03c41d-d5c3-43f5-b3ca-f244f177d710" 4 | fingerprint = "8aa4336ba6909c820f1164c78453629959e28cb619fda45dbe46291f9fbcbec4" 5 | creation_date = "2021-08-06" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Trojan.Xpertrat" 8 | reference_sample = "d7f2fddb43eb63f9246f0a4535dfcca6da2817592455d7eceaacde666cf1aaae" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "[XpertRAT-Mutex]" wide fullword 16 | $a2 = "XPERTPLUGIN" wide fullword 17 | $a3 = "keylog.tmp" wide fullword 18 | condition: 19 | all of them 20 | } 21 | 22 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/behavior_bug_issue.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Behavior - Report a bug within the endpoint rule 3 | about: Report a bug for the endpoint security artifact 4 | title: "[Bug] Name of behavior rule" 5 | labels: bug, behavior 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: 28 | - Version: 29 | 30 | **Additional context** 31 | Add any other context about the problem here. 32 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Octopus.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Octopus_15813e26 { 2 | meta: 3 | id = "15813e26-77f8-46cf-a6a3-ae081925b85a" 4 | fingerprint = "a3294547f7e3cead0cd64eb3d2e7dbd8ccfc4d9eedede240a643c8cd114cbcce" 5 | creation_date = "2021-11-10" 6 | last_modified = "2022-01-13" 7 | description = "Identifies Octopus, an Open source pre-operation C2 server based on Python and PowerShell" 8 | threat_name = "Windows.Trojan.Octopus" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = "C:\\Users\\UNKNOWN\\source\\repos\\OctopusUnmanagedExe\\OctopusUnmanagedExe\\obj\\x64\\Release\\SystemConfiguration.pdb" ascii fullword 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Linux_Packer_Patched_UPX.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Packer_Patched_UPX_62e11c64 { 2 | meta: 3 | id = "62e11c64-fc7d-4a0a-9d72-ad53ec3987ff" 4 | fingerprint = "3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d" 5 | creation_date = "2021-06-08" 6 | last_modified = "2021-07-28" 7 | threat_name = "Linux.Packer.Patched_UPX" 8 | reference = "https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/" 9 | reference_sample = "02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669" 10 | severity = 60 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "linux" 15 | strings: 16 | $a = { 55 50 58 21 [4] 00 00 00 00 00 00 00 00 00 00 00 00 } 17 | condition: 18 | all of them and $a in (0 .. 255) 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Pandora.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Pandora_bca8ce23 { 2 | meta: 3 | id = "bca8ce23-6722-4cda-b5fa-623eda4fca1b" 4 | fingerprint = "0da732f6bdf24f35dee3c1bf85435650a5ce9b5c6a93f01176659943c01ad711" 5 | creation_date = "2022-03-14" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Ransomware.Pandora" 8 | reference_sample = "2c940a35025dd3847f7c954a282f65e9c2312d2ada28686f9d1dc73d1c500224" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "/c vssadmin.exe delete shadows /all /quiet" wide fullword 16 | $a2 = "\\Restore_My_Files.txt" wide fullword 17 | $a3 = ".pandora" wide fullword 18 | condition: 19 | all of them 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Stop.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Stop_1e8d48ff { 2 | meta: 3 | id = "1e8d48ff-e0ab-478d-8268-a11f2e87ab79" 4 | fingerprint = "715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb" 5 | creation_date = "2021-06-10" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Ransomware.Stop" 8 | reference_sample = "821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = "E:\\Doc\\My work (C++)\\_Git\\Encryption\\Release\\encrypt_win_api.pdb" ascii fullword 16 | $b = { 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF } 17 | condition: 18 | any of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Backdoor_Useragent.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Backdoor_Useragent_1a02fc3a { 2 | meta: 3 | id = "1a02fc3a-a394-457b-8af5-99f7f22b0a3b" 4 | fingerprint = "22afa14a3dc6f8053b93bf3e971d57808a9cc19e676f9ed358ba5f1db9292ba4" 5 | creation_date = "2021-11-11" 6 | last_modified = "2022-07-22" 7 | threat_name = "MacOS.Backdoor.Useragent" 8 | reference_sample = "623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $s1 = "/Library/LaunchAgents/com.UserAgent.va.plist" 16 | $s2 = "this is not root" 17 | $s3 = "rm -Rf " 18 | $s4 = "/start.sh" 19 | $s5 = ".killchecker_" 20 | condition: 21 | 4 of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Hancitor.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Hancitor_6738d84a { 2 | meta: 3 | id = "6738d84a-7393-4db2-97cc-66f471b5699a" 4 | fingerprint = "44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912" 5 | creation_date = "2021-06-17" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Trojan.Hancitor" 8 | reference_sample = "a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d" 16 | $b1 = "Rundll32.exe %s, start" ascii fullword 17 | $b2 = "MASSLoader.dll" ascii fullword 18 | condition: 19 | $a1 or all of ($b*) 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Lockfile.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Lockfile_74185716 { 2 | meta: 3 | id = "74185716-e79d-4d63-b6ae-9480f24dcd4f" 4 | fingerprint = "849a0fb5a2e08b2d32db839a7fdbde03a184a48726678e65e7f8452b354a3ca8" 5 | creation_date = "2021-08-31" 6 | last_modified = "2022-01-13" 7 | threat_name = "Windows.Ransomware.Lockfile" 8 | reference_sample = "bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "LOCKFILE-README" 16 | $a2 = "wmic process where \"name like '%virtualbox%'\" call terminate" 17 | $a3 = "" 18 | $a4 = ".lockfile" 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Remcos.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Remcos_b296e965 { 2 | meta: 3 | id = "b296e965-a99e-4446-b969-ba233a2a8af4" 4 | fingerprint = "a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d" 5 | creation_date = "2021-06-10" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Trojan.Remcos" 8 | reference_sample = "0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "Remcos restarted by watchdog!" ascii fullword 16 | $a2 = "Mutex_RemWatchdog" ascii fullword 17 | $a3 = "%02i:%02i:%02i:%03i" 18 | $a4 = "* Remcos v" ascii fullword 19 | condition: 20 | 2 of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Cryptominer_Xmrig.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Cryptominer_Xmrig_241780a1 { 2 | meta: 3 | id = "241780a1-ad50-4ded-b85a-26339ae5a632" 4 | fingerprint = "be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8" 5 | creation_date = "2021-09-30" 6 | last_modified = "2021-10-25" 7 | threat_name = "MacOS.Cryptominer.Xmrig" 8 | reference_sample = "2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $a1 = "mining.set_target" ascii fullword 16 | $a2 = "XMRIG_HOSTNAME" ascii fullword 17 | $a3 = "Usage: xmrig [OPTIONS]" ascii fullword 18 | $a4 = "XMRIG_VERSION" ascii fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Babylonrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Babylonrat_0f66e73b { 2 | meta: 3 | id = "0f66e73b-7824-46b6-a9e6-5abf018c9ffa" 4 | fingerprint = "3998824e381f51aaa2c81c12d4c05157c642d8aef39982e35fa3e124191640ea" 5 | creation_date = "2021-09-02" 6 | last_modified = "2022-01-13" 7 | threat_name = "Windows.Trojan.Babylonrat" 8 | reference_sample = "4278064ec50f87bb0471053c068b13955ed9d599434e687a64bf2060438a7511" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "BabylonRAT" wide fullword 16 | $a2 = "Babylon RAT Client" wide fullword 17 | $a3 = "ping 0 & del \"" wide fullword 18 | $a4 = "\\%Y %m %d - %I %M %p" wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Backdoor_Keyboardrecord.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Backdoor_Keyboardrecord_832f7bac { 2 | meta: 3 | id = "832f7bac-3896-4934-b05f-8215a41cca74" 4 | fingerprint = "27aa4380bda0335c672e957ba2ce6fd1f42ccf0acd2eff757e30210c3b4fb2fa" 5 | creation_date = "2021-11-11" 6 | last_modified = "2022-07-22" 7 | threat_name = "MacOS.Backdoor.Keyboardrecord" 8 | reference_sample = "570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $s1 = "com.ccc.keyboardrecord" 16 | $s2 = "com.ccc.write_queue" 17 | $s3 = "ps -p %s > /dev/null" 18 | $s4 = "useage %s path useragentpid" 19 | $s5 = "keyboardRecorderStartPKc" 20 | condition: 21 | 3 of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Electrorat.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Trojan_Electrorat_b4dbfd1d { 2 | meta: 3 | id = "b4dbfd1d-4968-4121-a4c2-5935b7f76fc1" 4 | fingerprint = "fa65fc0a8f5b1f63957c586e6ca8e8fbdb811970f25a378a4ff6edf5e5c44da7" 5 | creation_date = "2021-09-30" 6 | last_modified = "2021-10-25" 7 | threat_name = "MacOS.Trojan.Electrorat" 8 | reference_sample = "b1028b38fcce0d54f2013c89a9c0605ccb316c36c27faf3a35adf435837025a4" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $a1 = "_TtC9Keylogger9Keylogger" ascii fullword 16 | $a2 = "_TtC9Keylogger17CallBackFunctions" ascii fullword 17 | $a3 = "\\DELETE-FORWARD" ascii fullword 18 | $a4 = "\\CAPSLOCK" ascii fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Mespinoza.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Mespinoza_3adb59f5 { 2 | meta: 3 | id = "3adb59f5-a4af-48f2-8029-874a62b23651" 4 | fingerprint = "f44a79048427e79d339d3b0ccaeb85ba6731d5548256a2615f32970dcf67578f" 5 | creation_date = "2021-08-05" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Ransomware.Mespinoza" 8 | reference_sample = "6f3cd5f05ab4f404c78bab92f705c91d967b31a9b06017d910af312fa87ae3d6" 9 | severity = 90 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "Don't try to use backups because it were encrypted too." ascii fullword 16 | $a2 = "Every byte on any types of your devices was encrypted." ascii fullword 17 | $a3 = "n.pysa" wide fullword 18 | condition: 19 | all of them 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Bitrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Bitrat_34bd6c83 { 2 | meta: 3 | id = "34bd6c83-9a71-43d5-b0b1-1646a8fb66e8" 4 | fingerprint = "bc4a5fad1810ad971277a455030eed3377901a33068bb994e235346cfe5a524f" 5 | creation_date = "2021-06-13" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Trojan.Bitrat" 8 | reference_sample = "37f70ae0e4e671c739d402c00f708761e98b155a1eefbedff1236637c4b7690a" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "crd_logins_report" ascii fullword 16 | $a2 = "drives_get" ascii fullword 17 | $a3 = "files_get" ascii fullword 18 | $a4 = "shell_stop" ascii fullword 19 | $a5 = "hvnc_start_ie" ascii fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Revengerat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Revengerat_db91bcc6 { 2 | meta: 3 | id = "db91bcc6-024d-42da-8d0a-bd69374bf622" 4 | fingerprint = "9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666" 5 | creation_date = "2021-09-02" 6 | last_modified = "2022-01-13" 7 | threat_name = "Windows.Trojan.Revengerat" 8 | reference_sample = "30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "Revenge-RAT" wide fullword 16 | $a2 = "SELECT * FROM FirewallProduct" wide fullword 17 | $a3 = "HKEY_CURRENT_USER\\SOFTWARE\\" wide fullword 18 | $a4 = "get_MachineName" ascii fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Jupyter.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Jupyter_56152e31 { 2 | meta: 3 | id = "56152e31-77c6-49fa-bbc5-c3630f11e633" 4 | fingerprint = "9cccc2e3d4cfe9ff090d02b143fa837f4da0c229426435b4e097f902e8c5fb01" 5 | creation_date = "2021-07-22" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Trojan.Jupyter" 8 | reference_sample = "ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "%appdata%\\solarmarker.dat" ascii fullword 16 | $a2 = "\\AppData\\Roaming\\solarmarker.dat" wide fullword 17 | $b1 = "steal_passwords" ascii fullword 18 | $b2 = "jupyter" ascii fullword 19 | condition: 20 | 1 of ($a*) or 2 of ($b*) 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Eggshell.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Trojan_Eggshell_ddacf7b9 { 2 | meta: 3 | id = "ddacf7b9-8479-47ef-9df2-17060578a8e5" 4 | fingerprint = "2e6284c8e44809d5f88781dcf7779d1e24ce3aedd5e8db8598e49c01da63fe62" 5 | creation_date = "2021-09-30" 6 | last_modified = "2021-10-25" 7 | threat_name = "MacOS.Trojan.Eggshell" 8 | reference_sample = "6d93a714dd008746569c0fbd00fadccbd5f15eef06b200a4e831df0dc8f3d05b" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $a1 = "ScreenshotThread" ascii fullword 16 | $a2 = "KeylogThread" ascii fullword 17 | $a3 = "GetClipboardThread" ascii fullword 18 | $a4 = "_uploadProgress" ascii fullword 19 | $a5 = "killTask:" ascii fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_A310logger.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_A310logger_520cd7ec { 2 | meta: 3 | id = "520cd7ec-840c-4d45-961b-8bc5e329c52f" 4 | fingerprint = "f4ee88e555b7bd0102403cc804372f5376debc59555e8e7b4a16e18b04d1b314" 5 | creation_date = "2022-01-11" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.A310logger" 8 | reference_sample = "60fb9597e5843c72d761525f73ca728409579d81901860981ebd84f7d153cfa3" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "/dumps9taw" ascii fullword 16 | $a2 = "/logstatus" ascii fullword 17 | $a3 = "/checkprotection" ascii fullword 18 | $a4 = "[CLIPBOARD]<<" wide fullword 19 | $a5 = "&chat_id=" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Backdoor_Fakeflashlxk.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Backdoor_Fakeflashlxk_06fd8071 { 2 | meta: 3 | id = "06fd8071-0370-4ae8-819a-846fa0a79b3d" 4 | fingerprint = "a0e6763428616b46536c6a4eb080bae0cc58ef27678616aa432eb43a3d9c77a1" 5 | creation_date = "2021-11-11" 6 | last_modified = "2022-07-22" 7 | threat_name = "MacOS.Backdoor.Fakeflashlxk" 8 | reference_sample = "107f844f19e638866d8249e6f735daf650168a48a322d39e39d5e36cfc1c8659" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $s1 = "/Users/lxk/Library/Developer/Xcode/DerivedData" 16 | $s2 = "Desktop/SafariFlashActivity/SafariFlashActivity/SafariFlashActivity/" 17 | $s3 = "/Debug/SafariFlashActivity.build/Objects-normal/x86_64/AppDelegate.o" 18 | condition: 19 | 2 of them 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Gh0st.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Gh0st_ee6de6bc { 2 | meta: 3 | id = "ee6de6bc-1648-4a77-9607-e2a211c7bda4" 4 | fingerprint = "3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455" 5 | creation_date = "2021-06-10" 6 | last_modified = "2021-08-23" 7 | description = "Identifies a variant of Gh0st Rat" 8 | threat_name = "Windows.Trojan.Gh0st" 9 | reference_sample = "ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = ":]%d-%d-%d %d:%d:%d" ascii fullword 17 | $a2 = "[Pause Break]" ascii fullword 18 | $a3 = "f-secure.exe" ascii fullword 19 | $a4 = "Accept-Language: zh-cn" ascii fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Ransomexx.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Ransomexx_fabff49c { 2 | meta: 3 | id = "fabff49c-8e1a-4020-b081-2f432532e529" 4 | fingerprint = "a7a1e6d5fafdddc7d4699710edf407653968ffd40747c50f26ef63a6cb623bbe" 5 | creation_date = "2021-08-07" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Ransomware.Ransomexx" 8 | reference_sample = "480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "ransom.exx" ascii fullword 16 | $a2 = "Infrastructure rebuild will cost you MUCH more." wide fullword 17 | $a3 = "Your files are securely ENCRYPTED." wide fullword 18 | $a4 = "delete catalog -quiet" wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_OskiStealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_OskiStealer_a158b1e3 { 2 | meta: 3 | id = "a158b1e3-21b7-4009-9646-6bee9bde98ad" 4 | fingerprint = "3996a89d37494b118654f3713393f415c662850a5a76afa00e83f9611aee3221" 5 | creation_date = "2022-03-21" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.OskiStealer" 8 | reference_sample = "568cd515c9a3bce7ef21520761b02cbfc95d8884d5b2dc38fc352af92356c694" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "\"os_crypt\":{\"encrypted_key\":\"" ascii fullword 16 | $a2 = "%s / %s" ascii fullword 17 | $a3 = "outlook.txt" ascii fullword 18 | $a4 = "GLoX6gmCFw==" ascii fullword 19 | $a5 = "KaoQpEzKSjGm8Q==" ascii fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Pandastealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Pandastealer_8b333e76 { 2 | meta: 3 | id = "8b333e76-f723-4093-ad72-2f5d42aaa9c9" 4 | fingerprint = "873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487" 5 | creation_date = "2021-09-02" 6 | last_modified = "2022-01-13" 7 | threat_name = "Windows.Trojan.Pandastealer" 8 | reference_sample = "ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "] - [user: " ascii fullword 16 | $a2 = "[-] data unpacked failed" ascii fullword 17 | $a3 = "[+] data unpacked" ascii fullword 18 | $a4 = "\\history\\" ascii fullword 19 | $a5 = "PlayerName" ascii fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Multi_Trojan_Bishopsliver.yar: -------------------------------------------------------------------------------- 1 | rule Multi_Trojan_Bishopsliver_42298c4a { 2 | meta: 3 | id = "42298c4a-fcea-4c5a-b213-32db00e4eb5a" 4 | fingerprint = "0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a" 5 | creation_date = "2021-10-20" 6 | last_modified = "2022-01-14" 7 | threat_name = "Multi.Trojan.Bishopsliver" 8 | reference_sample = "3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "multi" 14 | strings: 15 | $a1 = ").RequestResend" 16 | $a2 = ").GetPrivInfo" 17 | $a3 = ").GetReconnectIntervalSeconds" 18 | $a4 = ").GetPivotID" 19 | $a5 = "name=PrivInfo" 20 | $a6 = "name=ReconnectIntervalSeconds" 21 | $a7 = "name=PivotID" 22 | condition: 23 | 2 of them 24 | } 25 | 26 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Log4j.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_Log4j_7fc4d480 { 2 | meta: 3 | id = "7fc4d480-5354-4b0b-93ee-2937ddd1565c" 4 | fingerprint = "cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159" 5 | creation_date = "2021-12-13" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Exploit.Log4j" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "linux" 13 | strings: 14 | $jndi1 = "jndi.ldap.LdapCtx.c_lookup" 15 | $jndi2 = "logging.log4j.core.lookup.JndiLookup.lookup" 16 | $jndi3 = "com.sun.jndi.url.ldap.ldapURLContext.lookup" 17 | $exp1 = "Basic/Command/Base64/" 18 | $exp2 = "java.lang.ClassCastException: Exploit" 19 | $exp3 = "WEB-INF/classes/Exploit" 20 | $exp4 = "Exploit.java" 21 | condition: 22 | 2 of ($jndi*) and 1 of ($exp*) 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Exploit_Log4j.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Exploit_Log4j_75a13888 { 2 | meta: 3 | id = "75a13888-7650-4ef3-adec-15378c8479bd" 4 | fingerprint = "cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159" 5 | creation_date = "2021-12-13" 6 | last_modified = "2022-07-22" 7 | threat_name = "MacOS.Exploit.Log4j" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "macos" 13 | strings: 14 | $jndi1 = "jndi.ldap.LdapCtx.c_lookup" 15 | $jndi2 = "logging.log4j.core.lookup.JndiLookup.lookup" 16 | $jndi3 = "com.sun.jndi.url.ldap.ldapURLContext.lookup" 17 | $exp1 = "Basic/Command/Base64/" 18 | $exp2 = "java.lang.ClassCastException: Exploit" 19 | $exp3 = "WEB-INF/classes/Exploit" 20 | $exp4 = "Exploit.java" 21 | condition: 22 | 2 of ($jndi*) and 1 of ($exp*) 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Avoslocker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Avoslocker_7ae4d4f2 { 2 | meta: 3 | id = "7ae4d4f2-be5f-4aad-baaa-4182ff9cf996" 4 | fingerprint = "0e5ff268ed2b62f9d31df41192135145094849a4e6891407568c3ea27ebf66bb" 5 | creation_date = "2021-07-28" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Ransomware.Avoslocker" 8 | reference_sample = "43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "drive %s took %f seconds" ascii fullword 16 | $a2 = "client_rsa_priv: %s" ascii fullword 17 | $a3 = "drive: %s" ascii fullword 18 | $a4 = "Map: %s" ascii fullword 19 | $a5 = "encrypting %ls failed" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_WhisperGate.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_WhisperGate_9192618b { 2 | meta: 3 | id = "9192618b-4f3e-4503-a97f-3c4420fb79e0" 4 | fingerprint = "21f2a5b730a86567e68491a0d997fc52ba37f28b2164747240a74c225be3c661" 5 | creation_date = "2022-01-17" 6 | last_modified = "2022-01-17" 7 | threat_name = "Windows.Trojan.WhisperGate" 8 | reference_sample = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "https://cdn.discordapp.com/attachments/" wide 16 | $a2 = "DxownxloxadDxatxxax" wide fullword 17 | $a3 = "powershell" wide fullword 18 | $a4 = "-enc UwB0AGEAcgB0AC" wide fullword 19 | $a5 = "Ylfwdwgmpilzyaph" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DiamondFox.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DiamondFox_18bc11e3 { 2 | meta: 3 | id = "18bc11e3-5872-40b0-a3b7-cef4b32fac15" 4 | fingerprint = "6f908d11220e218a7b59239ff3cc00c7e273fb46ec99ef7ae37e4aceb4de7831" 5 | creation_date = "2022-03-02" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.DiamondFox" 8 | reference_sample = "a44c46d4b9cf1254aaabd1e689f84c4d2c3dd213597f827acabface03a1ae6d1" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "\\wscript.vbs" wide fullword 16 | $a2 = "\\snapshot.jpg" wide fullword 17 | $a3 = "&soft=" wide fullword 18 | $a4 = "ping -n 4 127.0.0.1 > nul" wide fullword 19 | $a5 = "Select Name from Win32_Process Where Name = '" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Remotemanipulator.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Remotemanipulator_9ec52153 { 2 | meta: 3 | id = "9ec52153-3b62-432d-b87c-895035df1a46" 4 | fingerprint = "02220e8af70ecffb3a7585f756c59ef5d9e17e6690c36d6bffc458e1d17dbd0c" 5 | creation_date = "2021-09-02" 6 | last_modified = "2022-01-13" 7 | threat_name = "Windows.Trojan.Remotemanipulator" 8 | reference_sample = "1dd15c830c0a159b53ed21b8c2ce1b7e8093256368d7b96c1347c6851ee6c4f6" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "killself.bat" wide fullword 16 | $a2 = "rutserv.exe" wide fullword 17 | $a3 = "rfusclient.exe" wide fullword 18 | $a4 = "install.log" wide fullword 19 | $a5 = "Unable to create Agent's path." wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_Log4j.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Exploit_Log4j_dbac7698 { 2 | meta: 3 | id = "dbac7698-906c-44a2-9795-f04ec07d7fcc" 4 | fingerprint = "cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159" 5 | creation_date = "2021-12-13" 6 | last_modified = "2022-01-13" 7 | threat_name = "Windows.Exploit.Log4j" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "windows" 13 | strings: 14 | $jndi1 = "jndi.ldap.LdapCtx.c_lookup" 15 | $jndi2 = "logging.log4j.core.lookup.JndiLookup.lookup" 16 | $jndi3 = "com.sun.jndi.url.ldap.ldapURLContext.lookup" 17 | $exp1 = "Basic/Command/Base64/" 18 | $exp2 = "java.lang.ClassCastException: Exploit" 19 | $exp3 = "WEB-INF/classes/Exploit" 20 | $exp4 = "Exploit.java" 21 | condition: 22 | 2 of ($jndi*) and 1 of ($exp*) 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Darkcomet.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Darkcomet_1df27bcc { 2 | meta: 3 | id = "1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63" 4 | fingerprint = "63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b" 5 | creation_date = "2021-08-16" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Trojan.Darkcomet" 8 | reference_sample = "7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "BTRESULTHTTP Flood|Http Flood task finished!|" ascii fullword 16 | $a2 = "is now open!|" ascii fullword 17 | $a3 = "ActiveOnlineKeylogger" ascii fullword 18 | $a4 = "#BOT#RunPrompt" ascii fullword 19 | $a5 = "GETMONITORS" ascii fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Hawkeye.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Hawkeye_77c36ace { 2 | meta: 3 | id = "77c36ace-3857-43f8-a6de-596ba7964b6f" 4 | fingerprint = "c9a1c61b4fa78c46d493e1b307e9950bd714ba4e5a6249f15a3b86a74b7638e5" 5 | creation_date = "2021-08-16" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Trojan.Hawkeye" 8 | reference_sample = "28e28025060f1bafd4eb96c7477cab73497ca2144b52e664b254c616607d94cd" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "Logger - Key Recorder - [" wide fullword 16 | $a2 = "http://whatismyipaddress.com/" wide fullword 17 | $a3 = "Keylogger Enabled: " wide fullword 18 | $a4 = "LoadPasswordsSeaMonkey" wide fullword 19 | $a5 = "\\.minecraft\\lastlogin" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Linux_Backdoor_Tinyshell.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Backdoor_Tinyshell_67ee6fae { 2 | meta: 3 | id = "67ee6fae-304b-47f5-93b6-4086a864d433" 4 | fingerprint = "f71ce364fb607ee6f4422864674ae3d053453b488c139679aa485466893c563d" 5 | creation_date = "2021-10-12" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Backdoor.Tinyshell" 8 | reference_sample = "9d2e25ec0208a55fba97ac70b23d3d3753e9b906b4546d1b14d8c92f8d8eb03d" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a1 = "Usage: %s [ -c [ connect_back_host ] ] [ -s secret ] [ -p port ]" fullword 16 | $a2 = "s:p:c::" fullword 17 | $b1 = "Usage: %s [ -s secret ] [ -p port ] [command]" fullword 18 | $b2 = " get " fullword 19 | condition: 20 | (all of ($a*)) or (all of ($b*)) 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Cryptbot.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Cryptbot_489a6562 { 2 | meta: 3 | id = "489a6562-870c-4105-9bb7-52ab09e5b09c" 4 | fingerprint = "f4578d79f8923706784e9d55a70ec74051273a945d2b277daa6229724defec3f" 5 | creation_date = "2021-08-18" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Trojan.Cryptbot" 8 | reference_sample = "423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "/c rd /s /q %Temp%\\" wide fullword 16 | $a2 = "\\_Files\\_AllPasswords_list.txt" wide fullword 17 | $a3 = "\\files_\\cryptocurrency\\log.txt" wide fullword 18 | $a4 = "%wS\\%wS\\%wS.tmp" wide fullword 19 | $a5 = "%AppData%\\waves-exchange" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Azorult.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Azorult_38fce9ea { 2 | meta: 3 | id = "38fce9ea-a94e-49d3-8eef-96fe06ad27f8" 4 | fingerprint = "0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a" 5 | creation_date = "2021-08-05" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Trojan.Azorult" 8 | reference_sample = "405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "/c %WINDIR%\\system32\\timeout.exe 3 & del \"" wide fullword 16 | $a2 = "%APPDATA%\\.purple\\accounts.xml" wide fullword 17 | $a3 = "%TEMP%\\curbuf.dat" wide fullword 18 | $a4 = "PasswordsList.txt" ascii fullword 19 | $a5 = "Software\\Valve\\Steam" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Wiper_HermeticWiper.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Wiper_HermeticWiper_7206a969 { 2 | meta: 3 | id = "7206a969-bbd6-4c2d-a19d-380b71a4ab08" 4 | fingerprint = "e3486c785f99f4376d4161704afcaf61e8a5ab6101463a76d134469f8a5581bf" 5 | creation_date = "2022-02-24" 6 | last_modified = "2022-02-24" 7 | threat_name = "Windows.Wiper.HermeticWiper" 8 | reference_sample = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword 16 | $a2 = "\\\\.\\EPMNTDRV\\%u" wide fullword 17 | $a3 = "tdrv.pdb" ascii fullword 18 | $a4 = "%s%.2s" wide fullword 19 | $a5 = "ccessdri" ascii fullword 20 | $a6 = "Hermetica Digital" 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Njrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Njrat_30f3c220 { 2 | meta: 3 | id = "30f3c220-b8dc-45a1-bcf0-027c2f76fa63" 4 | fingerprint = "d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4" 5 | creation_date = "2021-06-13" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Trojan.Njrat" 8 | reference_sample = "741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "get_Registry" ascii fullword 16 | $a2 = "SEE_MASK_NOZONECHECKS" wide fullword 17 | $a3 = "Download ERROR" wide fullword 18 | $a4 = "cmd.exe /c ping 0 -n 2 & del \"" wide fullword 19 | $a5 = "netsh firewall delete allowedprogram \"" wide fullword 20 | $a6 = "[+] System : " wide fullword 21 | condition: 22 | 3 of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Revcoderat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Revcoderat_8e6d4182 { 2 | meta: 3 | id = "8e6d4182-4ea8-4d4c-ad3a-d16b42e387f4" 4 | fingerprint = "bc259d888e913dffb4272e2f871592238eb78922989d30ac4dc23cdeb988cc78" 5 | creation_date = "2021-09-02" 6 | last_modified = "2022-01-13" 7 | threat_name = "Windows.Trojan.Revcoderat" 8 | reference_sample = "77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "PLUGIN_PROCESS_REVERSE_PROXY: Plugin already exists, skipping download!" ascii fullword 16 | $a2 = "TARGET_HOST_UPDATE(): Sync successful!" ascii fullword 17 | $a3 = "WEBCAM_ACTIVATE: Plugin already exists, skipping download!" ascii fullword 18 | $a4 = "send_keylog_get" ascii fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_StormKitty.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_StormKitty_6256031a { 2 | meta: 3 | id = "6256031a-e7dd-423b-a83f-4db428cb3d1b" 4 | fingerprint = "6f0463de42c97701b0f3b8172e7e461501357921a3d11e6ca467bd1ca397d0b6" 5 | creation_date = "2022-03-21" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.StormKitty" 8 | reference_sample = "0c69015f534d1da3770dbc14183474a643c4332de6a599278832abd2b15ba027" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "https://github.com/LimerBoy/StormKitty" ascii fullword 16 | $a2 = "127.0.0.1 www.malwarebytes.com" wide fullword 17 | $a3 = "KillDefender" 18 | $a4 = "Username: {1}" wide fullword 19 | $a5 = "# End of Cookies" wide fullword 20 | $a6 = "# End of Passwords" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SystemBC.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_SystemBC_5e883723 { 2 | meta: 3 | id = "5e883723-7eaa-4992-91de-abb0ffbba54e" 4 | fingerprint = "add95c1f4bb279c8b189c3d64a0c2602c73363ebfad56a4077119af148dd2d87" 5 | creation_date = "2022-03-22" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.SystemBC" 8 | reference_sample = "b432805eb6b2b58dd957481aa8a973be58915c26c04630ce395753c6a5196b14" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "GET /tor/rendezvous2/%s HTTP/1.0" ascii fullword 16 | $a2 = "https://api.ipify.org/" ascii fullword 17 | $a3 = "KEY-----" ascii fullword 18 | $a4 = "Host: %s" ascii fullword 19 | $a5 = "BEGINDATA" ascii fullword 20 | $a6 = "-WindowStyle Hidden -ep bypass -file \"" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/Windows_Wiper_CaddyWiper.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Wiper_CaddyWiper_484bd98a { 2 | meta: 3 | id = "484bd98a-543f-42de-a58c-fe9c7b5605a3" 4 | fingerprint = "de16515a72cd1f7b4d7ee46a4fafde07cf224c2b6df9037bcd20ab4d39181fa8" 5 | creation_date = "2022-03-14" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Wiper.CaddyWiper" 8 | reference_sample = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = { C6 45 AC 43 C6 45 AD 3A C6 45 AE 5C C6 45 AF 55 C6 45 B0 73 C6 45 B1 65 C6 45 B2 72 C6 45 B3 73 } 16 | $a2 = { C6 45 E0 44 C6 45 E1 3A C6 45 E2 5C } 17 | $a3 = { C6 45 9C 6E C6 45 9D 65 C6 45 9E 74 C6 45 9F 61 C6 45 A0 70 C6 45 A1 69 C6 45 A2 33 C6 45 A3 32 } 18 | $s1 = "DsRoleGetPrimaryDomainInformation" 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Backdoor_Kagent.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Backdoor_Kagent_64ca1865 { 2 | meta: 3 | id = "64ca1865-0a99-49dc-b138-02b17ed47f60" 4 | fingerprint = "b8086b08a019a733bee38cebdc4e25cdae9d3c238cfe7b341d8f0cd4db204d27" 5 | creation_date = "2021-11-11" 6 | last_modified = "2022-07-22" 7 | threat_name = "MacOS.Backdoor.Kagent" 8 | reference_sample = "d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $s1 = "save saveCaptureInfo" 16 | $s2 = "savephoto success screenCaptureInfo" 17 | $s3 = "no auto bbbbbaaend:%d path %s" 18 | $s4 = "../screencapture/screen_capture_thread.cpp" 19 | $s5 = "%s:%d, m_autoScreenCaptureQueue: %x" 20 | $s6 = "auto bbbbbaaend:%d path %s" 21 | $s7 = "auto aaaaaaaastartTime:%d path %s" 22 | condition: 23 | 4 of them 24 | } 25 | 26 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Pony.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Pony_d5516fe8 { 2 | meta: 3 | id = "d5516fe8-3b25-4c46-9e5b-111ca312a824" 4 | fingerprint = "9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f" 5 | creation_date = "2021-08-14" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Trojan.Pony" 8 | reference_sample = "423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "\\Global Downloader" ascii fullword 16 | $a2 = "wiseftpsrvs.bin" ascii fullword 17 | $a3 = "SiteServer %d\\SFTP" ascii fullword 18 | $a4 = "%s\\Keychain" ascii fullword 19 | $a5 = "Connections.txt" ascii fullword 20 | $a6 = "ftpshell.fsi" ascii fullword 21 | $a7 = "inetcomm server passwords" ascii fullword 22 | condition: 23 | all of them 24 | } 25 | 26 | -------------------------------------------------------------------------------- /yara/rules/Windows_Wiper_DoubleZero.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Wiper_DoubleZero_65ec0c50 { 2 | meta: 3 | id = "65ec0c50-4038-46a7-879b-fbb4aab18725" 4 | fingerprint = "2441bcdf7bc48df098f4ef68231fb15fc5c8f96af2e170de77f1718487b945b2" 5 | creation_date = "2022-03-22" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Wiper.DoubleZero" 8 | reference_sample = "3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $s1 = "\\Users\\\\.*?\\\\AppData\\\\Roaming\\\\Microsoft.*" wide fullword 16 | $s2 = "\\Users\\\\.*?\\\\AppData\\\\Local\\\\Application Data.*" wide fullword 17 | $s3 = "\\Users\\\\.*?\\\\Local Settings.*" wide fullword 18 | $s4 = "get__beba00adeeb086e6" ascii fullword 19 | $s5 = "FileShareWrite" ascii fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Generic.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Generic_99f5a632 { 2 | meta: 3 | id = "99f5a632-8562-4321-b707-c5f583b14511" 4 | fingerprint = "84ab8d177e50bce1a3eceb99befcf05c7a73ebde2f7ea4010617bf4908257fdb" 5 | creation_date = "2022-02-24" 6 | last_modified = "2022-02-24" 7 | threat_name = "Windows.Ransomware.Generic" 8 | reference_sample = "4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "stephanie.jones2024@protonmail.com" 16 | $a2 = "_/C_/projects/403forBiden/wHiteHousE.init" ascii fullword 17 | $a3 = "All your files, documents, photoes, videos, databases etc. have been successfully encrypted" ascii fullword 18 | $a4 = "

Do not try to decrypt then by yourself - it's impossible" ascii fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Asyncrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Asyncrat_11a11ba1 { 2 | meta: 3 | id = "11a11ba1-c178-4415-9c09-45030b500f50" 4 | fingerprint = "715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8" 5 | creation_date = "2021-08-05" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Trojan.Asyncrat" 8 | reference_sample = "fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "/c schtasks /create /f /sc onlogon /rl highest /tn \"" wide fullword 16 | $a2 = "Stub.exe" wide fullword 17 | $a3 = "get_ActivatePong" ascii fullword 18 | $a4 = "vmware" wide fullword 19 | $a5 = "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" wide fullword 20 | $a6 = "get_SslClient" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DCRat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DCRat_1aeea1ac { 2 | meta: 3 | id = "1aeea1ac-69b9-4cc6-91af-18b7a79f35ce" 4 | fingerprint = "fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9" 5 | creation_date = "2022-01-15" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.DCRat" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "windows" 13 | strings: 14 | $a1 = "havecamera" ascii fullword 15 | $a2 = "timeout 3 > NUL" wide fullword 16 | $a3 = "START \"\" \"" wide fullword 17 | $a4 = "L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g" wide fullword 18 | $a5 = "U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==" wide fullword 19 | $b1 = "DcRatByqwqdanchun" ascii fullword 20 | $b2 = "DcRat By qwqdanchun1" ascii fullword 21 | condition: 22 | 5 of ($a*) or 1 of ($b*) 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Quasarrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Quasarrat_e52df647 { 2 | meta: 3 | id = "e52df647-c197-4790-b051-8951fba80c3b" 4 | fingerprint = "c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815" 5 | creation_date = "2021-06-27" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Trojan.Quasarrat" 8 | reference_sample = "a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "GetKeyloggerLogsResponse" ascii fullword 16 | $a2 = "DoDownloadAndExecute" ascii fullword 17 | $a3 = "http://api.ipify.org/" wide fullword 18 | $a4 = "Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}" wide fullword 19 | $a5 = "\" /sc ONLOGON /tr \"" wide fullword 20 | condition: 21 | 4 of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Tofsee.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Tofsee_26124fe4 { 2 | meta: 3 | id = "26124fe4-f2a1-4fc9-8155-585b581476de" 4 | fingerprint = "dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31" 5 | creation_date = "2022-03-31" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.Tofsee" 8 | reference_sample = "e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a = { 55 8B EC 8B 45 ?? 57 8B 7D ?? B1 01 85 FF 74 ?? 56 8B 75 ?? 2B F0 8A 14 06 32 55 ?? 88 10 8A D1 02 55 ?? F6 D9 00 55 ?? 40 4F 75 ?? 5E 8B 45 ?? 5F 5D C3 } 16 | $b = { 8B 44 24 ?? 53 8A 18 84 DB 74 ?? 8B D0 2B 54 24 ?? 8B 4C 24 ?? 84 DB 74 ?? 8A 19 84 DB 74 ?? 38 1C 0A 75 ?? 41 80 3C 0A 00 75 ?? 80 39 00 74 ?? 40 8A 18 42 84 DB 75 ?? 33 C0 5B C3 } 17 | condition: 18 | any of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Fontonlake.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Rootkit_Fontonlake_8fa41f5e { 2 | meta: 3 | id = "8fa41f5e-d03d-4647-86fb-335e056c1c0d" 4 | fingerprint = "187aae8e659061a06b44e0d353e35e22ada9076c78d8a7e4493e1e4cc600bc9d" 5 | creation_date = "2021-10-12" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Rootkit.Fontonlake" 8 | reference_sample = "826222d399e2fb17ae6bc6a4e1493003881b1406154c4b817f0216249d04a234" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a1 = "kernel_write" fullword 16 | $a2 = "/proc/.dot3" fullword 17 | $a3 = "hide_pid" fullword 18 | $h2 = "s_hide_pids" fullword 19 | $h3 = "s_hide_tcp4_ports" fullword 20 | $h4 = "s_hide_strs" fullword 21 | $tmp1 = "/tmp/.tmH" fullword 22 | $tmp2 = "/tmp/.tmp_" fullword 23 | condition: 24 | (all of ($a*) and 1 of ($tmp*)) or (all of ($h*)) 25 | } 26 | 27 | -------------------------------------------------------------------------------- /yara/rules/Windows_Wiper_IsaacWiper.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Wiper_IsaacWiper_239cd2dc { 2 | meta: 3 | id = "239cd2dc-6f93-43fa-98e8-ad7a0edb8a8a" 4 | fingerprint = "a9c193d7c60b0c793c299b23f672d6428ceb229f2ceb2acbfc1124387954b244" 5 | creation_date = "2022-03-04" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Wiper.IsaacWiper" 8 | reference_sample = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "C:\\ProgramData\\log.txt" wide fullword 16 | $a2 = "system physical drive -- FAILED" wide fullword 17 | $a3 = "-- system logical drive: " wide fullword 18 | $a4 = "start erasing system logical drive " wide fullword 19 | $a5 = "-- logical drive: " wide fullword 20 | $a6 = "-- start erasing logical drive " wide fullword 21 | condition: 22 | 5 of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Danabot.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Danabot_6f3dadb2 { 2 | meta: 3 | id = "6f3dadb2-3283-4333-8143-1265721d2221" 4 | fingerprint = "387e3fb3c3f625c8b5e42052c126ce4dbb7de3a7de6b68addf0a0777b9d3b504" 5 | creation_date = "2021-08-15" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Trojan.Danabot" 8 | reference_sample = "716e5a3d29ff525aed30c18061daff4b496f3f828ba2ac763efd857062a42e96" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "%s.dll" ascii fullword 16 | $a2 = "del_ini://Main|Password|" wide fullword 17 | $a3 = "S-Password.txt" wide fullword 18 | $a4 = "BiosTime:" wide fullword 19 | $a5 = "%lu:%s:%s:%d:%s" ascii fullword 20 | $a6 = "DNS:%s" ascii fullword 21 | $a7 = "THttpInject&" ascii fullword 22 | $a8 = "TCookies&" ascii fullword 23 | condition: 24 | all of them 25 | } 26 | 27 | -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Wipelog.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Hacktool_Wipelog_daea1aa4 { 2 | meta: 3 | id = "daea1aa4-0df7-4308-83e1-0707dcda2e54" 4 | fingerprint = "93f899e14e6331c2149ba5c0c1e9dd8def5a7d1b6d2a7af66eade991dea77b3c" 5 | creation_date = "2022-03-17" 6 | last_modified = "2022-07-22" 7 | threat_name = "Linux.Hacktool.Wipelog" 8 | reference_sample = "39b3a95928326012c3b2f64e2663663adde4b028d940c7e804ac4d3953677ea6" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $s1 = "Erase one username on tty" 16 | $s2 = "wipe_utmp" 17 | $s3 = "wipe_acct" 18 | $s4 = "wipe_lastlog" 19 | $s5 = "wipe_wtmp" 20 | $s6 = "getpwnam" 21 | $s7 = "ERROR: Can't find user in passwd" 22 | $s8 = "ERROR: Opening tmp ACCT file" 23 | $s9 = "/var/log/wtmp" 24 | $s10 = "/var/log/lastlog" 25 | $s11 = "Patching %s ...." 26 | condition: 27 | 4 of them 28 | } 29 | 30 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SVCReady.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_SVCReady_af498d39 { 2 | meta: 3 | id = "af498d39-6ae8-46de-ad6c-81b346d80139" 4 | fingerprint = "6e30d9977698c7864a8c264a7fe8c9a558f6e51dda9c887bda94261ce187645f" 5 | creation_date = "2022-06-12" 6 | last_modified = "2022-07-18" 7 | threat_name = "Windows.Trojan.SVCReady" 8 | reference_sample = "08e427c92010a8a282c894cf5a77a874e09c08e283a66f1905c131871cc4d273" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "RunPEDllNative::HookNtCreateUserProcess fail: targetMapping.valid" ascii fullword 16 | $a2 = "Section Mapping error:Process=0x%x Section [%s] res[0x%x] != va[0x%x] Status:%u" ascii fullword 17 | $a3 = "%s - %I64d < %I64d > %I64d clicks, %I64d pixels, ready=%i" ascii fullword 18 | $a4 = "Svc:windowThreadRunner done" ascii fullword 19 | $a5 = "svc commonMain" ascii fullword 20 | condition: 21 | 4 of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_Dcsyncer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_Dcsyncer_425579c5 { 2 | meta: 3 | id = "425579c5-496f-4e08-a7e3-bf56e622aa21" 4 | fingerprint = "f6a0c028323be41f6ec90af8a7ea8587fee6985ddefdbcdd24351cb615f756a2" 5 | creation_date = "2021-09-15" 6 | last_modified = "2022-01-13" 7 | description = "MGIxY2/05+FBDTur++++0OUs" 8 | threat_name = "Windows.Hacktool.Dcsyncer" 9 | reference_sample = "af7dbc84efeb186006d75d095f54a266f59e6b2348d0c20591da16ae7b7d509a" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "[x] dcsync: Error in ProcessGetNCChangesReply" wide fullword 17 | $a2 = "[x] getDCBind: RPC Exception 0x%08x (%u)" wide fullword 18 | $a3 = "[x] getDomainAndUserInfos: DomainControllerInfo: 0x%08x (%u)" wide fullword 19 | $a4 = "[x] ProcessGetNCChangesReply_decrypt: Checksums don't match (C:0x%08x - R:0x%08x)" wide fullword 20 | condition: 21 | any of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Buerloader.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Buerloader_c8a60f46 { 2 | meta: 3 | id = "c8a60f46-d49a-4566-845b-675fb55c201c" 4 | fingerprint = "346233f4b1306eb574b4063d3b47f90e65a81ad7fe1c74d2a68640d99d456c4c" 5 | creation_date = "2021-08-16" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Trojan.Buerloader" 8 | reference_sample = "3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "User-Agent: Host: HTTP/1.1" ascii fullword 16 | $a2 = "ServerHelloPayloadrandom" ascii fullword 17 | $a3 = "Bad JSON in payload" ascii fullword 18 | $a4 = { 7B 22 68 65 6C 6C 6F 22 3A 20 22 77 6F 72 6C 64 22 7D 48 54 54 50 2F 31 2E 31 20 33 30 31 20 46 6F 75 6E 64 } 19 | $a5 = "PayloadU24UnknownExtensiontyp" ascii fullword 20 | $a6 = " NTDLL.DLL" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Carberp.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Carberp_d6de82ae { 2 | meta: 3 | id = "d6de82ae-9846-40cb-925d-e0a371e1c44c" 4 | fingerprint = "7ce34f1000749a938b78508c93371d3339cd49f73eeec36b25da13c9d129b85c" 5 | creation_date = "2021-02-07" 6 | last_modified = "2021-08-23" 7 | description = "Identifies VNC module from the leaked Carberp source code. This could exist in other malware families." 8 | threat_name = "Windows.Trojan.Carberp" 9 | reference = "https://github.com/m0n0ph1/malware-1/blob/master/Carberp%20Botnet/source%20-%20absource/pro/all%20source/hvnc_dll/HVNC%20Lib/vnc/xvnc.h#L342" 10 | reference_sample = "f98fadb6feab71930bd5c08e85153898d686cc96c84fe349c00bf6d482de9b53" 11 | severity = 100 12 | arch_context = "x86" 13 | scan_context = "file, memory" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $a1 = ".NET CLR Networking_Perf_Library_Lock_PID_0" ascii wide fullword 18 | $a2 = "FakeVNCWnd" ascii wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Mountlocker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Mountlocker_126a76e2 { 2 | meta: 3 | id = "126a76e2-8a97-4347-ac36-9437a512e16c" 4 | fingerprint = "08213f4474c7c8fd7a6e59c9ff139fb45f224109ad4e6162c12cff5ac85cb10c" 5 | creation_date = "2021-06-10" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Ransomware.Mountlocker" 8 | reference_sample = "4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "[SKIP] locker.dir.check > black_list name=%s" wide fullword 16 | $a2 = "[OK] locker.dir.check > name=%s" wide fullword 17 | $a3 = "[ERROR] locker.worm > execute pcname=%s" wide fullword 18 | $a4 = "[INFO] locker.work.enum.net_drive > enum finish name=%s" wide fullword 19 | $a5 = "[WARN] locker.work.enum.server_shares > logon on server error=%u pcname=%s" wide fullword 20 | condition: 21 | any of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Fontonlake.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Hacktool_Fontonlake_68ad8568 { 2 | meta: 3 | id = "68ad8568-2b00-4680-a83f-1689eff6099c" 4 | fingerprint = "81936e696a525cf02070fa7cfa27574cdad37e1b3d8f278950390a1945c21611" 5 | creation_date = "2021-10-12" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Hacktool.Fontonlake" 8 | reference_sample = "717953f52318e7687fc95626561cc607d4875d77ff7e3cf5c7b21cf91f576fa4" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $s1 = "run_in_bash" 16 | $s2 = "run_in_ss" 17 | $s3 = "real_bash_fork" 18 | $s4 = "fake_bash_add_history" 19 | $s5 = "hook_bash_add_history" 20 | $s6 = "real_bash_add_history" 21 | $s7 = "real_current_user.5417" 22 | $s8 = "real_bash_execve" 23 | $s9 = "inject_so_symbol.c" 24 | $s10 = "/root/rmgr_ko/subhook-0.5/subhook_x86.c" 25 | $s11 = "|1|%ld|%d|%d|%d|%d|%s|%s" 26 | $s12 = "/proc/.dot3" 27 | condition: 28 | 4 of them 29 | } 30 | 31 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Zeus.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Zeus_e51c60d7 { 2 | meta: 3 | id = "e51c60d7-3afa-4cf5-91d8-7782e5026e46" 4 | fingerprint = "813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba" 5 | creation_date = "2021-02-07" 6 | last_modified = "2021-10-04" 7 | description = "Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature." 8 | threat_name = "Windows.Trojan.Zeus" 9 | reference = "https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects" 10 | reference_sample = "d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3" 11 | severity = 100 12 | arch_context = "x86" 13 | scan_context = "file, memory" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $a1 = "name=%s&port=%u" ascii fullword 18 | $a2 = "data_inject" ascii wide fullword 19 | $a3 = "keylog.txt" ascii fullword 20 | $a4 = "User-agent: %s]]]" ascii fullword 21 | $a5 = "%s\\%02d.bmp" ascii fullword 22 | condition: 23 | all of them 24 | } 25 | 26 | -------------------------------------------------------------------------------- /yara/rules/Linux_Proxy_Frp.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Proxy_Frp_4213778f { 2 | meta: 3 | id = "4213778f-d05e-4af8-9650-2d813d5a64e5" 4 | fingerprint = "70bb186a9719767a9a60786fbe10bf4cc2f04c19ea58aaaa90018ec89a9f9b84" 5 | creation_date = "2021-10-20" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Proxy.Frp" 8 | reference_sample = "16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $s1 = "github.com/fatedier/frp/client/proxy.TcpProxy" 16 | $s2 = "frp/cmd/frpc/sub/xtcp.go" 17 | $s3 = "frp/client/proxy/proxy_manager.go" 18 | $s4 = "fatedier/frp/models/config/proxy.go" 19 | $s5 = "github.com/fatedier/frp/server/proxy" 20 | $s6 = "frp/cmd/frps/main.go" 21 | $p1 = "json:\"remote_port\"" 22 | $p2 = "remote_port" 23 | $p3 = "remote_addr" 24 | $p4 = "range section [%s] local_port and remote_port is necessary[ERR]" 25 | condition: 26 | 2 of ($s*) and 2 of ($p*) 27 | } 28 | 29 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Hacktool_Bifrost.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Hacktool_Bifrost_39bcbdf8 { 2 | meta: 3 | id = "39bcbdf8-86dc-480e-8822-dc9832bb9b55" 4 | fingerprint = "e11f6f3a847817644d40fee863e168cd2a18e8e0452482c1e652c11fe8dd769e" 5 | creation_date = "2021-10-12" 6 | last_modified = "2021-10-25" 7 | threat_name = "MacOS.Hacktool.Bifrost" 8 | reference_sample = "e2b64df0add316240b010db7d34d83fc9ac7001233259193e5a72b6e04aece46" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "macos" 14 | strings: 15 | $s1 = "[dump | list | askhash | describe | asktgt | asktgs | s4u | ptt | remove | asklkdcdomain]" fullword 16 | $s2 = "[-] Error in parseKirbi: %s" 17 | $s3 = "[-] Error in parseTGSREP: %s" 18 | $s4 = "genPasswordHashPassword:Length:Enc:Username:Domain:Pretty:" 19 | $s5 = "storeLKDCConfDataFriendlyName:Hostname:Password:CCacheName:" 20 | $s6 = "bifrostconsole-" 21 | $s7 = "-kerberoast" 22 | $s8 = "asklkdcdomain" 23 | $s9 = "askhash" 24 | condition: 25 | 3 of them 26 | } 27 | 28 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Helloxd.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Helloxd_0c50f01b { 2 | meta: 3 | id = "0c50f01b-5f3d-4112-9930-ca1150fc12fa" 4 | fingerprint = "462d8c231d608e28e66d810b811f9fdf82d0b3770d21267a4375669a26bbaafd" 5 | creation_date = "2022-06-14" 6 | last_modified = "2022-07-18" 7 | threat_name = "Windows.Ransomware.Helloxd" 8 | reference_sample = "435781ab608ff908123d9f4758132fa45d459956755d27027a52b8c9e61f9589" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $mutex = "With best wishes And good intentions..." 16 | $ransomnote0 = ":: our TOX below >:)" 17 | $ransomnote1 = "You can download TOX here" 18 | $ransomnote2 = "...!XD ::" 19 | $productname = "HelloXD" ascii wide 20 | $legalcopyright = "uKn0w" ascii wide 21 | $description = "VhlamAV" ascii wide 22 | $companyname = "MicloZ0ft" ascii wide 23 | condition: 24 | ($mutex and all of ($ransomnote*)) or (3 of ($productname, $legalcopyright, $description, $companyname)) 25 | } 26 | 27 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_XtremeRAT.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_XtremeRAT_cd5b60be { 2 | meta: 3 | id = "cd5b60be-4685-425a-8fe1-8366c0e5b84a" 4 | fingerprint = "2ee35d7c34374e9f5cffceb36fe1912932288ea4e8211a8b77430b98a9d41fb2" 5 | creation_date = "2022-03-15" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.XtremeRAT" 8 | reference_sample = "735f7bf255bdc5ce8e69259c8e24164e5364aeac3ee78782b7b5275c1d793da8" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $s01 = "SOFTWARE\\XtremeRAT" wide fullword 16 | $s02 = "XTREME" wide fullword 17 | $s03 = "STARTSERVERBUFFER" wide fullword 18 | $s04 = "ENDSERVERBUFFER" wide fullword 19 | $s05 = "ServerKeyloggerU" ascii fullword 20 | $s06 = "TServerKeylogger" ascii fullword 21 | $s07 = "XtremeKeylogger" wide fullword 22 | $s08 = "XTREMEBINDER" wide fullword 23 | $s09 = "UnitInjectServer" ascii fullword 24 | $s10 = "shellexecute=" wide fullword 25 | condition: 26 | 7 of ($s*) 27 | } 28 | 29 | -------------------------------------------------------------------------------- /behavior/rules/execution_eggshell_backdoor_execution.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = "Identifies the execution of the EggShell backdoor. EggShell is a known post exploitation tool for macOS and Linux." 3 | id = "feed7842-34a6-4764-b858-6e5ac01a5ab7" 4 | license = "Elastic License v2" 5 | name = "EggShell Backdoor Execution" 6 | os_list = ["linux", "macos"] 7 | reference = ["https://github.com/neoneggplant/EggShell"] 8 | version = "1.0.9" 9 | 10 | query = ''' 11 | process where event.action == "exec" and 12 | process.executable : ("/private/tmp/*", "/tmp/*") and process.args : "eyJkZWJ1ZyI6*" 13 | ''' 14 | 15 | [[actions]] 16 | action = "kill_process" 17 | field = "process.entity_id" 18 | state = 0 19 | 20 | [[threat]] 21 | framework = "MITRE ATT&CK" 22 | [[threat.technique]] 23 | id = "T1059" 24 | name = "Command and Scripting Interpreter" 25 | reference = "https://attack.mitre.org/techniques/T1059/" 26 | [[threat.technique.subtechnique]] 27 | id = "T1059.004" 28 | name = "Unix Shell" 29 | reference = "https://attack.mitre.org/techniques/T1059/004/" 30 | 31 | 32 | 33 | [threat.tactic] 34 | id = "TA0002" 35 | name = "Execution" 36 | reference = "https://attack.mitre.org/tactics/TA0002/" 37 | 38 | [internal] 39 | min_endpoint_version = "7.15.0" 40 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2022_0847.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_CVE_2022_0847_e831c285 { 2 | meta: 3 | id = "e831c285-b2b9-49f3-a87c-3deb806e31e4" 4 | fingerprint = "376b791f9bb5f48d0f41ead4e48b5bcc74cb68002bb7c170760428ace169457e" 5 | creation_date = "2022-03-10" 6 | last_modified = "2022-03-14" 7 | threat_name = "Linux.Exploit.CVE-2022-0847" 8 | reference_sample = "c6b2cef2f2bc04e3ae33e0d368eb39eb5ea38d1bca390df47f7096117c1aecca" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $pp = "prepare_pipe" 16 | $s1 = "splice failed" 17 | $s2 = "short splice" 18 | $s3 = "short write" 19 | $s4 = "hijacking suid binary" 20 | $s5 = "Usage: %s TARGETFILE OFFSET DATA" 21 | $s6 = "Usage: %s SUID" 22 | $bs1 = { B8 00 10 00 00 81 7D EC 00 10 00 00 0F 46 45 EC 89 45 FC 8B 55 FC 48 8B 45 D8 48 83 C0 04 8B 00 48 8D 35 } 23 | $bs2 = { B8 00 10 00 00 81 7D F0 00 10 00 00 0F 46 45 F0 89 45 F8 8B 55 F8 48 8B 45 D8 8B 00 48 } 24 | condition: 25 | ($pp and 2 of ($s*)) or (all of ($bs*)) 26 | } 27 | 28 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Kronos.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Kronos_cdd2e2c5 { 2 | meta: 3 | id = "cdd2e2c5-17fc-4cec-aece-0b19c54faccf" 4 | fingerprint = "0e124d42a6741a095b66928303731e7060788bc1035b98b729ca91e4f7b6bc44" 5 | creation_date = "2021-02-07" 6 | last_modified = "2021-08-23" 7 | description = "Strings used by the Kronos banking trojan and variants." 8 | threat_name = "Windows.Trojan.Kronos" 9 | reference = "https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects" 10 | reference_sample = "baa9cedbbe0f5689be8f8028a6537c39e9ea8b0815ad76cb98f365ca5a41653f" 11 | severity = 100 12 | arch_context = "x86" 13 | scan_context = "file, memory" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $a1 = "data_inject" ascii wide fullword 18 | $a2 = "set_filter" ascii wide fullword 19 | $a3 = "set_url" ascii wide fullword 20 | $a4 = "%ws\\%ws.cfg" ascii wide fullword 21 | $a5 = "D7T1H5F0F5A4C6S3" ascii wide fullword 22 | $a6 = "[DELETE]" ascii wide fullword 23 | $a7 = "Kronos" ascii wide fullword 24 | condition: 25 | 4 of them 26 | } 27 | 28 | -------------------------------------------------------------------------------- /behavior/rules/defense_evasion_renamed_autoit_scripts_interpreter.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = """ 3 | Identifies suspicious AutoIT process execution events. Attackers may rename an AutoIT executable file in an attempt to 4 | avoid signature-based detection. 5 | """ 6 | id = "99f2327e-871f-4b8a-ae75-d1c4697aefe4" 7 | license = "Elastic License v2" 8 | name = "Renamed AutoIt Scripts Interpreter" 9 | os_list = ["windows"] 10 | version = "1.0.5" 11 | 12 | query = ''' 13 | process where event.action == "start" and 14 | process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe" 15 | ''' 16 | 17 | [[actions]] 18 | action = "kill_process" 19 | field = "process.entity_id" 20 | state = 0 21 | 22 | [[threat]] 23 | framework = "MITRE ATT&CK" 24 | [[threat.technique]] 25 | id = "T1036" 26 | name = "Masquerading" 27 | reference = "https://attack.mitre.org/techniques/T1036/" 28 | [[threat.technique.subtechnique]] 29 | id = "T1036.003" 30 | name = "Rename System Utilities" 31 | reference = "https://attack.mitre.org/techniques/T1036/003/" 32 | 33 | 34 | 35 | [threat.tactic] 36 | id = "TA0005" 37 | name = "Defense Evasion" 38 | reference = "https://attack.mitre.org/tactics/TA0005/" 39 | 40 | [internal] 41 | min_endpoint_version = "7.15.0" 42 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_MassLogger.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_MassLogger_511b001e { 2 | meta: 3 | id = "511b001e-dc67-4e45-9096-0b01101ca0ab" 4 | fingerprint = "14ec9c32af7c1dd4a1f73e37ef9e042c18d9e0179b0e5732752767f93be6d4e2" 5 | creation_date = "2022-03-02" 6 | last_modified = "2022-04-12" 7 | threat_name = "Windows.Trojan.MassLogger" 8 | reference_sample = "177875c756a494872c516000beb6011cec22bd9a73e58ba6b2371dba2ab8c337" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "ExecutionPolicy Bypass -WindowStyle Hidden -Command netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protoc" wide 16 | $a2 = "https://raw.githubusercontent.com/lisence-system/assemply/main/VMprotectEncrypt.jpg" wide fullword 17 | $a3 = "ECHO $SMTPServer = smtp.gmail.com >> %PSScript%" wide fullword 18 | $a4 = "Injecting Default Template...." wide fullword 19 | $a5 = "GetVncLoginMethodAsync" ascii fullword 20 | $a6 = "/c start computerdefaults.exe" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2021_3490.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Exploit_CVE_2021_3490_d369d615 { 2 | meta: 3 | id = "d369d615-d2a3-4f9d-b5c7-eb0fac5d43e7" 4 | fingerprint = "4f8f4c7fabe32a023f8aafb817e2c27c5a5e0e9246ddccacf99a47f2ab850014" 5 | creation_date = "2021-11-12" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Exploit.CVE-2021-3490" 8 | reference_sample = "e65ba616942fd1e893e10898d546fe54458debbc42e0d6826aff7a4bb4b2cf19" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $c1 = "frame_dummy_init_array_entry" 16 | $c2 = "leak_oob_map_ptr" 17 | $c3 = "overwrite_cred" 18 | $c4 = "obj_get_info_by_fd" 19 | $c5 = "kernel_write_uint" 20 | $c6 = "search_init_pid_ns_kstrtab" 21 | $c7 = "search_init_pid_ns_ksymtab" 22 | $msg1 = "failed to leak ptr to BPF map" 23 | $msg2 = "preparing to overwrite creds..." 24 | $msg3 = "success! enjoy r00t" 25 | $msg4 = "Useage: %s " 26 | $msg5 = "searching for init_pid_ns in ksymtab" 27 | condition: 28 | 4 of them 29 | } 30 | 31 | -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Grief.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Grief_9953339a { 2 | meta: 3 | id = "9953339a-2c67-4ebd-be51-d1055e341abc" 4 | fingerprint = "d7d70c3681c4d4103d9ff52c3bdd174ccbdb49343c34407e90abb5a83a8422f4" 5 | creation_date = "2021-08-04" 6 | last_modified = "2021-10-04" 7 | threat_name = "Windows.Ransomware.Grief" 8 | reference_sample = "0864575d4f487e52a1479c61c2c4ad16742d92e16d0c10f5ed2b40506bbc6ca0" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = { 65 64 73 63 6F 72 70 69 6F 71 65 6E 61 62 6C 65 54 72 61 6E 73 6C 61 74 65 2E 41 64 65 65 6D 65 64 59 00 5A 41 70 70 6C 69 63 61 74 69 6F 6E 65 69 74 68 65 72 33 34 2E 30 28 39 39 25 6D 65 6D 6F 72 79 2C 77 69 74 68 6F 75 74 00 66 6F 72 47 6F 6F 67 6C 65 6C 74 68 65 6D 6F 72 65 6D 77 61 73 00 39 32 41 6E 69 6E 65 74 68 65 75 48 73 74 61 62 6C 65 73 6F 66 66 69 63 69 61 6C 00 43 4B 76 65 72 73 69 6F 6E 46 71 74 68 65 63 6F 6D 70 61 6E 79 2C 74 6F 6E 2E 35 30 37 00 6E 69 6E 2D 70 61 67 65 44 73 63 61 6E 6E 69 6E 67 61 63 63 65 73 73 48 69 63 6F 6E 72 65 6D } 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Nanocore.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Nanocore_d8c4e3c5 { 2 | meta: 3 | id = "d8c4e3c5-8bcc-43d2-9104-fa3774282da5" 4 | fingerprint = "e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4" 5 | creation_date = "2021-06-13" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Trojan.Nanocore" 8 | reference_sample = "b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $a1 = "NanoCore.ClientPluginHost" ascii fullword 16 | $a2 = "NanoCore.ClientPlugin" ascii fullword 17 | $b1 = "get_BuilderSettings" ascii fullword 18 | $b2 = "ClientLoaderForm.resources" ascii fullword 19 | $b3 = "PluginCommand" ascii fullword 20 | $b4 = "IClientAppHost" ascii fullword 21 | $b5 = "GetBlockHash" ascii fullword 22 | $b6 = "AddHostEntry" ascii fullword 23 | $b7 = "LogClientException" ascii fullword 24 | $b8 = "PipeExists" ascii fullword 25 | $b9 = "IClientLoggingHost" ascii fullword 26 | condition: 27 | 1 of ($a*) or 6 of ($b*) 28 | } 29 | 30 | -------------------------------------------------------------------------------- /yara/rules/Linux_Backdoor_Fontonlake.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Backdoor_Fontonlake_fe916a45 { 2 | meta: 3 | id = "fe916a45-75cc-40e4-94ad-6ac0f5d815b9" 4 | fingerprint = "85f16dd4a127737501863ccba006a444d899c6edc6ab03af5dddef2d39edc483" 5 | creation_date = "2021-10-12" 6 | last_modified = "2022-01-26" 7 | threat_name = "Linux.Backdoor.Fontonlake" 8 | reference_sample = "8a0a9740cf928b3bd1157a9044c6aced0dfeef3aa25e9ff9c93e113cbc1117ee" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a1 = ".cmd.Upload_Passwd.PasswordInfo" fullword 16 | $a2 = "Upload_Passwd" fullword 17 | $a3 = "upload_file_beg" fullword 18 | $a4 = "upload_file_ing" fullword 19 | $a5 = "upload_file_end" fullword 20 | $a6 = "modify_file_attr" fullword 21 | $a7 = "modify_file_time" fullword 22 | $a8 = "import platform;print(platform.linux_distribution()[0]);print(platform.linux_distribution()[1]);print(platform.release())" fullword 23 | $a9 = "inject.so" fullword 24 | $a10 = "rm -f /tmp/%s" fullword 25 | $a11 = "/proc/.dot3" fullword 26 | condition: 27 | 4 of them 28 | } 29 | 30 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Pingpull.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Pingpull_09dd9559 { 2 | meta: 3 | id = "09dd9559-ce77-4f55-9e81-3b90add40103" 4 | fingerprint = "b471e0f40780523bf396323a3b70fd285944fef2960ae43a36068eaf2f2fea4f" 5 | creation_date = "2022-06-16" 6 | last_modified = "2022-07-18" 7 | threat_name = "Windows.Trojan.Pingpull" 8 | reference_sample = "de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $s1 = "PROJECT_%s_%s_%08X" ascii fullword 16 | $s2 = "Iph1psvc" ascii fullword 17 | $s3 = "IP He1per" ascii fullword 18 | $s4 = "If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer." 19 | $a1 = { 02 C? 66 C7 44 24 ?? 3A 00 4C 8D 44 24 ?? 88 4C 24 ?? 48 83 C9 FF 88 44 24 ?? F2 AE 33 ?? 0F 1F } 20 | $a2 = { 48 85 FF 74 ?? 41 C1 E0 04 0F B6 4C 3C ?? 33 D2 8D 41 ?? ?? 19 77 ?? 80 C1 E0 8D 41 ?? 3C 09 77 } 21 | $a3 = { 4C 63 74 24 ?? 48 8B ?? 43 8D 44 36 ?? 4C 63 E8 49 8B CD E8 ?? ?? ?? ?? 48 8B ?? 48 85 C0 0F 84 } 22 | condition: 23 | 3 of them 24 | } 25 | 26 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/yara_rule_tuning.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: YARA - Report an existing rule for tuning 3 | about: Suggestion for logic changes to an existing YARA rule 4 | title: "[Rule Tuning] Name of YARA rule" 5 | labels: yara, Tuning 6 | assignees: '' 7 | 8 | --- 9 | 10 | 11 | 12 | 13 | 14 | 15 | ## Impacted Rule: 16 | Rule Name with ID: 17 | 18 | ## Description 19 | 20 | 21 | ## Example Sample 22 | 23 | -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Bulz.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Cryptominer_Bulz_2aa8fbb5 { 2 | meta: 3 | id = "2aa8fbb5-b392-49fc-8f0f-12cd06d534e2" 4 | fingerprint = "c8fbeae6cf935fe629c37abc4fdcda2c80c1b19fc8b6185a58decead781e1321" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Cryptominer.Bulz" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "linux" 13 | strings: 14 | $a = { FE D7 C5 D9 72 F2 09 C5 E9 72 D2 17 C5 E9 EF D4 C5 E9 EF D6 C5 C1 } 15 | condition: 16 | all of them 17 | } 18 | 19 | rule Linux_Cryptominer_Bulz_0998f811 { 20 | meta: 21 | id = "0998f811-7be3-4d46-9dcb-1e8a0f19bab5" 22 | fingerprint = "c8a83bc305998cb6256b004e9d8ce6d5d1618b107e42be139b73807462b53c31" 23 | creation_date = "2021-01-12" 24 | last_modified = "2021-09-16" 25 | threat_name = "Linux.Cryptominer.Bulz" 26 | severity = 100 27 | arch_context = "x86" 28 | scan_context = "file, memory" 29 | license = "Elastic License v2" 30 | os = "linux" 31 | strings: 32 | $a = { 79 70 E4 39 C5 F9 70 C9 4E C5 91 72 F0 12 C5 F9 72 D0 0E C5 91 } 33 | condition: 34 | all of them 35 | } 36 | 37 | -------------------------------------------------------------------------------- /behavior/rules/defense_evasion_potential_defense_evasion_via_filter_manager_control_program.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = "Identifies attempt to unload a security driver via the Filter Manager Control Program." 3 | id = "5b39f347-077c-4a1e-8d3c-6f7789ca09e8" 4 | license = "Elastic License v2" 5 | name = "Potential Defense Evasion via Filter Manager Control Program" 6 | os_list = ["windows"] 7 | reference = ["https://lolbas-project.github.io/lolbas/Binaries/FltMC/"] 8 | version = "1.0.5" 9 | 10 | query = ''' 11 | process where event.action == "start" and 12 | process.pe.original_file_name == "fltMC.exe" and 13 | process.args : "unload" and process.command_line : ("*security*", "*sysmon*", "*esensor*", "*Elastic*") 14 | ''' 15 | 16 | [[actions]] 17 | action = "kill_process" 18 | field = "process.entity_id" 19 | state = 0 20 | 21 | [[threat]] 22 | framework = "MITRE ATT&CK" 23 | [[threat.technique]] 24 | id = "T1562" 25 | name = "Impair Defenses" 26 | reference = "https://attack.mitre.org/techniques/T1562/" 27 | [[threat.technique.subtechnique]] 28 | id = "T1562.001" 29 | name = "Disable or Modify Tools" 30 | reference = "https://attack.mitre.org/techniques/T1562/001/" 31 | 32 | 33 | 34 | [threat.tactic] 35 | id = "TA0005" 36 | name = "Defense Evasion" 37 | reference = "https://attack.mitre.org/tactics/TA0005/" 38 | 39 | [internal] 40 | min_endpoint_version = "7.15.0" 41 | -------------------------------------------------------------------------------- /yara/rules/MacOS_Virus_Vsearch.yar: -------------------------------------------------------------------------------- 1 | rule MacOS_Virus_Vsearch_0dd3ec6f { 2 | meta: 3 | id = "0dd3ec6f-815f-40e1-bd53-495e0eae8196" 4 | fingerprint = "8adbd06894e81dc09e46d8257d4e5fcd99e714f54ffb36d5a8d6268ea25d0bd6" 5 | creation_date = "2021-10-05" 6 | last_modified = "2021-10-25" 7 | threat_name = "MacOS.Virus.Vsearch" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "macos" 13 | strings: 14 | $a = { 2F 00 56 53 44 6F 77 6E 6C 6F 61 64 65 72 2E 6D 00 2F 4D 61 63 69 6E 74 6F 73 } 15 | condition: 16 | all of them 17 | } 18 | 19 | rule MacOS_Virus_Vsearch_2a0419f8 { 20 | meta: 21 | id = "2a0419f8-95b2-4f87-a37a-ee0b65e344e9" 22 | fingerprint = "2da9f0fc05bc8e23feb33b27142f46fb437af77766e39889a02ea843d52d17eb" 23 | creation_date = "2021-10-05" 24 | last_modified = "2021-10-25" 25 | threat_name = "MacOS.Virus.Vsearch" 26 | severity = 100 27 | arch_context = "x86" 28 | scan_context = "file, memory" 29 | license = "Elastic License v2" 30 | os = "macos" 31 | strings: 32 | $a = { 6F 72 6D 61 6C 2F 69 33 38 36 2F 56 53 44 6F 77 6E 6C 6F 61 64 65 72 2E 6F 00 } 33 | condition: 34 | all of them 35 | } 36 | 37 | -------------------------------------------------------------------------------- /behavior/rules/credential_access_dumping_account_hashes_via_built_in_commands.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = """ 3 | Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump 4 | credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for 5 | lateral movement. 6 | """ 7 | id = "2ed766db-e0b0-4a07-8ec1-4e41dd406b64" 8 | license = "Elastic License v2" 9 | name = "Dumping Account Hashes via Built-In Commands" 10 | os_list = ["macos"] 11 | reference = [ 12 | "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", 13 | "https://www.unix.com/man-page/osx/8/mkpassdb/", 14 | ] 15 | version = "1.0.5" 16 | 17 | query = ''' 18 | process where event.type == "start" and 19 | process.name : ("defaults", "mkpassdb") and process.args : ("ShadowHashData", "-dump") 20 | ''' 21 | 22 | [[actions]] 23 | action = "kill_process" 24 | field = "process.entity_id" 25 | state = 0 26 | 27 | [[threat]] 28 | framework = "MITRE ATT&CK" 29 | [[threat.technique]] 30 | id = "T1003" 31 | name = "OS Credential Dumping" 32 | reference = "https://attack.mitre.org/techniques/T1003/" 33 | 34 | 35 | [threat.tactic] 36 | id = "TA0006" 37 | name = "Credential Access" 38 | reference = "https://attack.mitre.org/tactics/TA0006/" 39 | 40 | [internal] 41 | min_endpoint_version = "7.15.0" 42 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Donutloader.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Donutloader_f40e3759 { 2 | meta: 3 | id = "f40e3759-2531-4e21-946a-fb55104814c0" 4 | fingerprint = "6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7" 5 | creation_date = "2021-09-15" 6 | last_modified = "2022-01-13" 7 | threat_name = "Windows.Trojan.Donutloader" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "windows" 13 | strings: 14 | $x64 = { 06 B8 03 40 00 80 C3 4C 8B 49 10 49 } 15 | $x86 = { 04 75 EE 89 31 F0 FF 46 04 33 C0 EB } 16 | condition: 17 | any of them 18 | } 19 | 20 | rule Windows_Trojan_Donutloader_5c38878d { 21 | meta: 22 | id = "5c38878d-ca94-4fd9-a36e-1ae5fe713ca2" 23 | fingerprint = "3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150" 24 | creation_date = "2021-09-15" 25 | last_modified = "2021-01-13" 26 | threat_name = "Windows.Trojan.Donutloader" 27 | severity = 100 28 | arch_context = "x86" 29 | scan_context = "file, memory" 30 | license = "Elastic License v2" 31 | os = "windows" 32 | strings: 33 | $a = { 24 48 03 C2 48 89 44 24 28 41 8A 00 84 C0 74 14 33 D2 FF C1 } 34 | condition: 35 | any of them 36 | } 37 | 38 | -------------------------------------------------------------------------------- /behavior/rules/privilege_escalation_suspicious_windows_service_execution.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = """ 3 | Identifies the execution of a Windows service from suspicious path such as mounted localhost admin share. This may 4 | indicate an attempt to elevate privileges via windows services. 5 | """ 6 | id = "cd25c529-73b4-4a9d-84a9-e24c4a3540d1" 7 | license = "Elastic License v2" 8 | name = "Suspicious Windows Service Execution" 9 | os_list = ["windows"] 10 | version = "1.0.4" 11 | 12 | query = ''' 13 | process where event.action == "start" and 14 | process.parent.name : "services.exe" and 15 | process.Ext.token.integrity_level_name == "system" and 16 | process.executable : ("\\\\127.0.0.1\\*", "\\Device\\Mup\\*\\c$\\*", "\\Device\\Mup\\*\\ADMIN$\\*") 17 | ''' 18 | 19 | [[actions]] 20 | action = "kill_process" 21 | field = "process.entity_id" 22 | state = 0 23 | 24 | [[threat]] 25 | framework = "MITRE ATT&CK" 26 | [[threat.technique]] 27 | id = "T1543" 28 | name = "Create or Modify System Process" 29 | reference = "https://attack.mitre.org/techniques/T1543/" 30 | [[threat.technique.subtechnique]] 31 | id = "T1543.003" 32 | name = "Windows Service" 33 | reference = "https://attack.mitre.org/techniques/T1543/003/" 34 | 35 | 36 | 37 | [threat.tactic] 38 | id = "TA0004" 39 | name = "Privilege Escalation" 40 | reference = "https://attack.mitre.org/tactics/TA0004/" 41 | 42 | [internal] 43 | min_endpoint_version = "7.15.0" 44 | -------------------------------------------------------------------------------- /behavior/rules/credential_access_potential_access_to_kerberos_cached_credentials.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets." 3 | id = "dc8fa849-efb4-45d1-be1a-9472325ff746" 4 | license = "Elastic License v2" 5 | name = "Potential Access to Kerberos Cached Credentials" 6 | os_list = ["macos"] 7 | reference = [ 8 | "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", 9 | "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html", 10 | ] 11 | version = "1.0.4" 12 | 13 | query = ''' 14 | process where event.type == "start" and 15 | process.name : "kcc" and process.command_line : "*copy_cred_cache*" 16 | ''' 17 | 18 | [[actions]] 19 | action = "kill_process" 20 | field = "process.entity_id" 21 | state = 0 22 | 23 | [[threat]] 24 | framework = "MITRE ATT&CK" 25 | [[threat.technique]] 26 | id = "T1558" 27 | name = "Steal or Forge Kerberos Tickets" 28 | reference = "https://attack.mitre.org/techniques/T1558/" 29 | [[threat.technique.subtechnique]] 30 | id = "T1558.003" 31 | name = "Kerberoasting" 32 | reference = "https://attack.mitre.org/techniques/T1558/003/" 33 | 34 | 35 | 36 | [threat.tactic] 37 | id = "TA0006" 38 | name = "Credential Access" 39 | reference = "https://attack.mitre.org/tactics/TA0006/" 40 | 41 | [internal] 42 | min_endpoint_version = "7.15.0" 43 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Setag.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Setag_351eeb76 { 2 | meta: 3 | id = "351eeb76-ccca-40d5-8ee3-e8daf6494dda" 4 | fingerprint = "c6edc7ae898831e9cc3c92fcdce4cd5b4412de061575e6da2f4e07776e0885f5" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Setag" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "linux" 13 | strings: 14 | $a = { 04 8B 45 F8 C1 E0 02 01 C2 8B 45 EC 89 02 8D 45 F8 FF 00 8B } 15 | condition: 16 | all of them 17 | } 18 | 19 | rule Linux_Trojan_Setag_01e2f79b { 20 | meta: 21 | id = "01e2f79b-fcbc-41d0-a68b-3a692b893f26" 22 | fingerprint = "4ea87a6ccf907babdebbbb07b9bc32a5437d0213f1580ea4b4b3f44ce543a5bd" 23 | creation_date = "2021-01-12" 24 | last_modified = "2021-09-16" 25 | threat_name = "Linux.Trojan.Setag" 26 | reference_sample = "5b5e8486174026491341a750f6367959999bbacd3689215f59a62dbb13a45fcc" 27 | severity = 100 28 | arch_context = "x86" 29 | scan_context = "file, memory" 30 | license = "Elastic License v2" 31 | os = "linux" 32 | strings: 33 | $a = { 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC } 34 | condition: 35 | all of them 36 | } 37 | 38 | -------------------------------------------------------------------------------- /behavior/rules/credential_access_lsa_dump_via_silentprocessexit.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = """ 3 | Identifies the modification of the Image File Execution Options SilentProcessExit key that can be abused to dump LSASS 4 | memory via the Windows Error Reporting WerFault.exe. Adversaries may use this technique for credential access. 5 | """ 6 | id = "28969fe6-0ebe-4442-b40c-dbe9b4234f5e" 7 | license = "Elastic License v2" 8 | name = "LSA Dump via SilentProcessExit" 9 | os_list = ["windows"] 10 | reference = [ 11 | "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", 12 | ] 13 | version = "1.0.8" 14 | 15 | query = ''' 16 | registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass*" 17 | ''' 18 | 19 | [[actions]] 20 | action = "kill_process" 21 | field = "process.entity_id" 22 | state = 0 23 | 24 | [[threat]] 25 | framework = "MITRE ATT&CK" 26 | [[threat.technique]] 27 | id = "T1003" 28 | name = "OS Credential Dumping" 29 | reference = "https://attack.mitre.org/techniques/T1003/" 30 | [[threat.technique.subtechnique]] 31 | id = "T1003.001" 32 | name = "LSASS Memory" 33 | reference = "https://attack.mitre.org/techniques/T1003/001/" 34 | 35 | 36 | 37 | [threat.tactic] 38 | id = "TA0006" 39 | name = "Credential Access" 40 | reference = "https://attack.mitre.org/tactics/TA0006/" 41 | 42 | [internal] 43 | min_endpoint_version = "7.15.0" 44 | -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Ganiw.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_Ganiw_99349371 { 2 | meta: 3 | id = "99349371-644e-4954-9b7d-f2f579922565" 4 | fingerprint = "6b0cbea419915567c2ecd84bfcb2c7f7301435ee953f16c6dcba826802637551" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Trojan.Ganiw" 8 | reference_sample = "e8dbb246fdd1a50226a36c407ac90eb44b0cf5e92bf0b92c89218f474f9c2afb" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { 10 66 89 43 02 8B 5D FC C9 C3 55 89 E5 53 83 EC 04 8B 45 14 8B } 16 | condition: 17 | all of them 18 | } 19 | 20 | rule Linux_Trojan_Ganiw_b9f045aa { 21 | meta: 22 | id = "b9f045aa-99fa-47e9-b179-ac62158b3fe2" 23 | fingerprint = "0aaec92ca1c622df848bba80a2f1e4646252625d58e28269965b13d65158f238" 24 | creation_date = "2021-01-12" 25 | last_modified = "2021-09-16" 26 | threat_name = "Linux.Trojan.Ganiw" 27 | severity = 100 28 | arch_context = "x86" 29 | scan_context = "file, memory" 30 | license = "Elastic License v2" 31 | os = "linux" 32 | strings: 33 | $a = { E5 57 8B 55 0C 85 D2 74 21 FC 31 C0 8B 7D 08 AB AB AB AB AB AB } 34 | condition: 35 | all of them 36 | } 37 | 38 | -------------------------------------------------------------------------------- /.github/workflows/duplicate_issue.yml: -------------------------------------------------------------------------------- 1 | on: 2 | issues: 3 | types: [opened] 4 | name: Duplicate Open Issue to Internal Repo 5 | 6 | jobs: 7 | post_new_issue: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - name: Duplicate issue to internal behavior repo 11 | uses: octokit/request-action@v2.x 12 | if: contains(github.event.issue.labels.*.name, 'behavior') 13 | with: 14 | route: POST /repos/{owner}/{repo}/issues 15 | owner: elastic 16 | repo: endpoint-rules 17 | title: "${{ toJSON(format('{0} {1}', '[Openness Issue]', github.event.issue.title ))}}" 18 | body: ${{toJSON(github.event.issue.body)}} 19 | labels: ${{toJSON(github.event.issue.labels)}} 20 | env: 21 | GITHUB_TOKEN: ${{ secrets.PROTECTIONS_MACHINE_TOKEN }} 22 | 23 | - name: Duplicate issue to internal yara repo 24 | uses: octokit/request-action@v2.x 25 | if: contains(github.event.issue.labels.*.name, 'yara') 26 | with: 27 | route: POST /repos/{owner}/{repo}/issues 28 | owner: elastic 29 | repo: protections-yara-rules 30 | title: "${{ toJSON(format('{0} {1}', '[Openness Issue]', github.event.issue.title ))}}" 31 | body: ${{toJSON(github.event.issue.body)}} 32 | labels: ${{toJSON(github.event.issue.labels)}} 33 | env: 34 | GITHUB_TOKEN: ${{ secrets.PROTECTIONS_MACHINE_TOKEN }} 35 | -------------------------------------------------------------------------------- /behavior/rules/command_and_control_netwire_rat_registry_modification.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = """ 3 | Identifies registry modification activity consistent with the NetWire Remote Access Trojan (RAT). NetWire is a publicly 4 | available, multi-platform RAT that is used by criminal and APT groups. 5 | """ 6 | id = "102f340f-1839-4bad-8493-824cc02c4e69" 7 | license = "Elastic License v2" 8 | name = "NetWire RAT Registry Modification" 9 | os_list = ["windows"] 10 | reference = ["https://attack.mitre.org/software/S0198/", "https://any.run/malware-trends/netwire"] 11 | version = "1.0.5" 12 | 13 | query = ''' 14 | registry where 15 | registry.path : ( 16 | "HKEY_USERS\\S-1-5-21-*\\SOFTWARE\\NetWire\\HostId", 17 | "HKEY_USERS\\S-1-5-21-*\\SOFTWARE\\NetWire\\Install Date") 18 | ''' 19 | 20 | [[actions]] 21 | action = "kill_process" 22 | field = "process.entity_id" 23 | state = 0 24 | 25 | [[threat]] 26 | framework = "MITRE ATT&CK" 27 | [[threat.technique]] 28 | id = "T1112" 29 | name = "Modify Registry" 30 | reference = "https://attack.mitre.org/techniques/T1112/" 31 | 32 | 33 | [threat.tactic] 34 | id = "TA0005" 35 | name = "Defense Evasion" 36 | reference = "https://attack.mitre.org/tactics/TA0005/" 37 | [[threat]] 38 | framework = "MITRE ATT&CK" 39 | 40 | [threat.tactic] 41 | id = "TA0011" 42 | name = "Command and Control" 43 | reference = "https://attack.mitre.org/tactics/TA0011/" 44 | 45 | [internal] 46 | min_endpoint_version = "7.15.0" 47 | -------------------------------------------------------------------------------- /behavior/rules/execution_privilege_escalation_enumeration_via_linpeas.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = """ 3 | Identifies suspicious command line patterns that indicate LinPEAS execution. LinPEAS is a script that search for 4 | possible paths to escalate privileges on Linux/Unix/MacOS hosts. 5 | """ 6 | id = "92bb2a27-745b-4291-90a1-b7b654df1379" 7 | license = "Elastic License v2" 8 | name = "Privilege Escalation Enumeration via LinPEAS" 9 | os_list = ["linux", "macos"] 10 | reference = ["https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS"] 11 | version = "1.0.6" 12 | 13 | query = ''' 14 | process where event.action == "exec" and 15 | process.name == "sed" and process.command_line like "*ImPoSSssSiBlEee*" 16 | ''' 17 | 18 | [[actions]] 19 | action = "kill_process" 20 | field = "process.entity_id" 21 | state = 0 22 | 23 | [[actions]] 24 | action = "kill_process" 25 | field = "process.parent.entity_id" 26 | state = 0 27 | 28 | [[threat]] 29 | framework = "MITRE ATT&CK" 30 | [[threat.technique]] 31 | id = "T1059" 32 | name = "Command and Scripting Interpreter" 33 | reference = "https://attack.mitre.org/techniques/T1059/" 34 | [[threat.technique.subtechnique]] 35 | id = "T1059.004" 36 | name = "Unix Shell" 37 | reference = "https://attack.mitre.org/techniques/T1059/004/" 38 | 39 | 40 | 41 | [threat.tactic] 42 | id = "TA0002" 43 | name = "Execution" 44 | reference = "https://attack.mitre.org/tactics/TA0002/" 45 | 46 | [internal] 47 | min_endpoint_version = "7.14.0" 48 | -------------------------------------------------------------------------------- /behavior/rules/execution_suspicious_automator_workflows_execution.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = """ 3 | Identifies the execution of the Automator Workflows process followed by a network connection from the XPC service. 4 | Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an 5 | alternative to using osascript. 6 | """ 7 | id = "e390d36d-c739-43ee-9e3d-5a76fa853bd5" 8 | license = "Elastic License v2" 9 | name = "Suspicious Automator Workflows Execution" 10 | os_list = ["macos"] 11 | reference = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] 12 | version = "1.0.7" 13 | 14 | query = ''' 15 | sequence with maxspan=30s 16 | [process where event.action == "exec" and process.name == "automator"] 17 | [network where process.name == "com.apple.automator.runner"] 18 | ''' 19 | 20 | [[actions]] 21 | action = "kill_process" 22 | field = "process.entity_id" 23 | state = 1 24 | 25 | [[threat]] 26 | framework = "MITRE ATT&CK" 27 | [[threat.technique]] 28 | id = "T1059" 29 | name = "Command and Scripting Interpreter" 30 | reference = "https://attack.mitre.org/techniques/T1059/" 31 | [[threat.technique.subtechnique]] 32 | id = "T1059.007" 33 | name = "JavaScript" 34 | reference = "https://attack.mitre.org/techniques/T1059/007/" 35 | 36 | 37 | 38 | [threat.tactic] 39 | id = "TA0002" 40 | name = "Execution" 41 | reference = "https://attack.mitre.org/tactics/TA0002/" 42 | 43 | [internal] 44 | min_endpoint_version = "7.15.0" 45 | -------------------------------------------------------------------------------- /behavior/rules/privilege_escalation_privilege_escalation_via_named_pipe_impersonation.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = """ 3 | Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by 4 | utilizing a framework like Metasploit's getsystem command. 5 | """ 6 | id = "a0265178-779d-4bc5-b3f1-abb3bcddedab" 7 | license = "Elastic License v2" 8 | name = "Privilege Escalation via Named Pipe Impersonation" 9 | os_list = ["windows"] 10 | reference = [ 11 | "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", 12 | ] 13 | version = "1.0.8" 14 | 15 | query = ''' 16 | process where event.action == "start" and 17 | process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE") and process.command_line : "*echo*>*\\\\.\\pipe\\*" and 18 | not (process.command_line : "*chrome-extension://*" and process.parent.executable : "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") 19 | ''' 20 | 21 | [[actions]] 22 | action = "kill_process" 23 | field = "process.entity_id" 24 | state = 0 25 | 26 | [[threat]] 27 | framework = "MITRE ATT&CK" 28 | [[threat.technique]] 29 | id = "T1134" 30 | name = "Access Token Manipulation" 31 | reference = "https://attack.mitre.org/techniques/T1134/" 32 | 33 | 34 | [threat.tactic] 35 | id = "TA0004" 36 | name = "Privilege Escalation" 37 | reference = "https://attack.mitre.org/tactics/TA0004/" 38 | 39 | [internal] 40 | min_endpoint_version = "7.15.0" 41 | -------------------------------------------------------------------------------- /behavior/rules/defense_evasion_operating_system_security_updates_disabled.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = """ 3 | Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in 4 | an attempt to disable security updates. 5 | """ 6 | id = "741ad90d-e8d0-4d29-b91b-3d68108cb789" 7 | license = "Elastic License v2" 8 | name = "Operating System Security Updates Disabled" 9 | os_list = ["macos"] 10 | reference = ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"] 11 | version = "1.0.4" 12 | 13 | query = ''' 14 | process where event.type == "start" and 15 | process.name == "defaults" and 16 | process.args : "write" and process.args : "-bool" and 17 | process.command_line : "*com.apple.SoftwareUpdate*" and process.args : "CriticalUpdateInstall" and process.args : "NO" 18 | ''' 19 | 20 | [[actions]] 21 | action = "kill_process" 22 | field = "process.entity_id" 23 | state = 0 24 | 25 | [[threat]] 26 | framework = "MITRE ATT&CK" 27 | [[threat.technique]] 28 | id = "T1562" 29 | name = "Impair Defenses" 30 | reference = "https://attack.mitre.org/techniques/T1562/" 31 | [[threat.technique.subtechnique]] 32 | id = "T1562.001" 33 | name = "Disable or Modify Tools" 34 | reference = "https://attack.mitre.org/techniques/T1562/001/" 35 | 36 | 37 | 38 | [threat.tactic] 39 | id = "TA0005" 40 | name = "Defense Evasion" 41 | reference = "https://attack.mitre.org/tactics/TA0005/" 42 | 43 | [internal] 44 | min_endpoint_version = "7.15.0" 45 | -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Flystudio.yar: -------------------------------------------------------------------------------- 1 | rule Linux_Cryptominer_Flystudio_579a3a4d { 2 | meta: 3 | id = "579a3a4d-ddb0-4f73-9224-16fba973d624" 4 | fingerprint = "148b27046f72a7645ebced9f76424ffd7b368347311b04c9357d5d4ea8d373fb" 5 | creation_date = "2021-01-12" 6 | last_modified = "2021-09-16" 7 | threat_name = "Linux.Cryptominer.Flystudio" 8 | reference_sample = "84afc47554cf42e76ef8d28f2d29c28f3d35c2876cec2fb1581b0ac7cfe719dd" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "linux" 14 | strings: 15 | $a = { EF C1 66 0F 72 F1 05 66 0F EF C2 66 0F EF C1 66 0F 6F CD 66 0F } 16 | condition: 17 | all of them 18 | } 19 | 20 | rule Linux_Cryptominer_Flystudio_0a370634 { 21 | meta: 22 | id = "0a370634-51de-46bf-9397-c41ef08a7b83" 23 | fingerprint = "6613ddd986e2bf4b306cd1a5c28952da8068f1bb533c53557e2e2add5c2dbd1f" 24 | creation_date = "2021-01-12" 25 | last_modified = "2021-09-16" 26 | threat_name = "Linux.Cryptominer.Flystudio" 27 | severity = 100 28 | arch_context = "x86" 29 | scan_context = "file, memory" 30 | license = "Elastic License v2" 31 | os = "linux" 32 | strings: 33 | $a = { 72 D7 19 66 41 0F EF E9 66 0F EF EF 66 0F 6F FD 66 41 0F FE FD 66 44 0F } 34 | condition: 35 | all of them 36 | } 37 | 38 | -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SnakeKeylogger.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_SnakeKeylogger_af3faa65 { 2 | meta: 3 | id = "af3faa65-b19d-4267-ac02-1a3b50cdc700" 4 | fingerprint = "15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d" 5 | creation_date = "2021-04-06" 6 | last_modified = "2021-08-23" 7 | threat_name = "Windows.Trojan.SnakeKeylogger" 8 | severity = 100 9 | arch_context = "x86" 10 | scan_context = "file, memory" 11 | license = "Elastic License v2" 12 | os = "windows" 13 | strings: 14 | $a1 = "get_encryptedPassword" ascii fullword 15 | $a2 = "get_encryptedUsername" ascii fullword 16 | $a3 = "get_timePasswordChanged" ascii fullword 17 | $a4 = "get_passwordField" ascii fullword 18 | $a5 = "set_encryptedPassword" ascii fullword 19 | $a6 = "get_passwords" ascii fullword 20 | $a7 = "get_logins" ascii fullword 21 | $a8 = "GetOutlookPasswords" ascii fullword 22 | $a9 = "StartKeylogger" ascii fullword 23 | $a10 = "KeyLoggerEventArgs" ascii fullword 24 | $a11 = "KeyLoggerEventArgsEventHandler" ascii fullword 25 | $a12 = "GetDataPassword" ascii fullword 26 | $a13 = "_encryptedPassword" ascii fullword 27 | $b1 = "----------------S--------N--------A--------K--------E----------------" 28 | $c1 = "SNAKE-KEYLOGGER" ascii fullword 29 | condition: 30 | 8 of ($a*) or #b1 > 5 or #c1 > 5 31 | } 32 | 33 | -------------------------------------------------------------------------------- /behavior/rules/command_and_control_suspicious_netsupport_execution.toml: -------------------------------------------------------------------------------- 1 | [rule] 2 | description = """ 3 | Identifies a suspicious execution of NetSupport remote access software from non-default paths, issuing a DNS query to a 4 | non-standard NetSupport domain. 5 | """ 6 | id = "ad53a366-161a-4fa7-a75a-cc00658a767f" 7 | license = "Elastic License v2" 8 | name = "Suspicious NetSupport Execution" 9 | os_list = ["windows"] 10 | reference = ["https://www.netsupportsoftware.com/"] 11 | version = "1.0.4" 12 | 13 | query = ''' 14 | sequence by process.entity_id with maxspan=1m 15 | [process where process.pe.original_file_name : "client32.exe" and 16 | process.code_signature.subject_name : "NetSupport Ltd" and 17 | not process.executable : ("?:\\Program Files\\NetSupport*.exe", "?:\\Program Files (x86)\\NetSupport*.exe") and 18 | not process.parent.executable : ("?:\\Program Files\\NetSupport*.exe", "?:\\Program Files (x86)\\NetSupport*.exe")] 19 | [dns where not dns.question.name : "*.netsupportsoftware.com"] 20 | ''' 21 | 22 | [[actions]] 23 | action = "kill_process" 24 | field = "process.entity_id" 25 | state = 0 26 | 27 | [[threat]] 28 | framework = "MITRE ATT&CK" 29 | [[threat.technique]] 30 | id = "T1219" 31 | name = "Remote Access Software" 32 | reference = "https://attack.mitre.org/techniques/T1219/" 33 | 34 | 35 | [threat.tactic] 36 | id = "TA0011" 37 | name = "Command and Control" 38 | reference = "https://attack.mitre.org/tactics/TA0011/" 39 | 40 | [internal] 41 | min_endpoint_version = "7.15.0" 42 | --------------------------------------------------------------------------------