├── .gitignore ├── LICENSE ├── README.md ├── door_scanner ├── config.json ├── door_scanner_2022_10_20.exe ├── door_scanner_2022_8_26.exe ├── door_scanner_2023_8_3.exe └── offline_scan.py ├── memory_scanner ├── config.json ├── memory_scanner.exe ├── memory_scanner_2024_5_27.exe └── yara_rules │ └── es_rules │ ├── Multi_AttackSimulation_Blindspot.yar │ ├── Multi_EICAR.yar │ ├── Multi_Ransomware_BlackCat.yar │ ├── Multi_Ransomware_Luna.yar │ ├── Multi_Trojan_Coreimpact.yar │ ├── Multi_Trojan_Sliver.yar │ ├── Windows_AttackSimulation_Hovercraft.yar │ ├── Windows_Backdoor_DragonCastling.yar │ ├── Windows_Backdoor_Goldbackdoor.yar │ ├── Windows_Backdoor_TeamViewer.yar │ ├── Windows_Cryptominer_Generic.yar │ ├── Windows_Exploit_Dcom.yar │ ├── Windows_Exploit_Eternalblue.yar │ ├── Windows_Exploit_Log4j.yar │ ├── Windows_Hacktool_BlackBone.yar │ ├── Windows_Hacktool_Capcom.yar │ ├── Windows_Hacktool_CheatEngine.yar │ ├── Windows_Hacktool_CpuLocker.yar │ ├── Windows_Hacktool_DarkLoadLibrary.yar │ ├── Windows_Hacktool_Dcsyncer.yar │ ├── Windows_Hacktool_Gmer.yar │ ├── Windows_Hacktool_Havoc.yar │ ├── Windows_Hacktool_LeiGod.yar │ ├── Windows_Hacktool_Mimikatz.yar │ ├── Windows_Hacktool_Nighthawk.yar │ ├── Windows_Hacktool_PhysMem.yar │ ├── Windows_Hacktool_ProcessHacker.yar │ ├── Windows_Hacktool_RWEverything.yar │ ├── Windows_Hacktool_Rubeus.yar │ ├── Windows_Hacktool_SafetyKatz.yar │ ├── Windows_Hacktool_Seatbelt.yar │ ├── Windows_Hacktool_SharPersist.yar │ ├── Windows_Hacktool_SharpAppLocker.yar │ ├── Windows_Hacktool_SharpChromium.yar │ ├── Windows_Hacktool_SharpDump.yar │ ├── Windows_Hacktool_SharpHound.yar │ ├── Windows_Hacktool_SharpLAPS.yar │ ├── Windows_Hacktool_SharpMove.yar │ ├── Windows_Hacktool_SharpRDP.yar │ ├── Windows_Hacktool_SharpShares.yar │ ├── Windows_Hacktool_SharpStay.yar │ ├── Windows_Hacktool_SharpUp.yar │ ├── Windows_Hacktool_SharpView.yar │ ├── Windows_Hacktool_SharpWMI.yar │ ├── Windows_Hacktool_WinPEAS_ng.yar │ ├── Windows_PUP_Veriato.yar │ ├── Windows_Ransomware_Avoslocker.yar │ ├── Windows_Ransomware_Bitpaymer.yar │ ├── Windows_Ransomware_BlackBasta.yar │ ├── Windows_Ransomware_Blackmatter.yar │ ├── Windows_Ransomware_Clop.yar │ ├── Windows_Ransomware_Conti.yar │ ├── Windows_Ransomware_Cuba.yar │ ├── Windows_Ransomware_Darkside.yar │ ├── Windows_Ransomware_Dharma.yar │ ├── Windows_Ransomware_Doppelpaymer.yar │ ├── Windows_Ransomware_Egregor.yar │ ├── Windows_Ransomware_Generic.yar │ ├── Windows_Ransomware_Grief.yar │ ├── Windows_Ransomware_Haron.yar │ ├── Windows_Ransomware_Hellokitty.yar │ ├── Windows_Ransomware_Helloxd.yar │ ├── Windows_Ransomware_Hive.yar │ ├── Windows_Ransomware_Lockbit.yar │ ├── Windows_Ransomware_Lockfile.yar │ ├── Windows_Ransomware_Magniber.yar │ ├── Windows_Ransomware_Makop.yar │ ├── Windows_Ransomware_Maui.yar │ ├── Windows_Ransomware_Maze.yar │ ├── Windows_Ransomware_Mespinoza.yar │ ├── Windows_Ransomware_Mountlocker.yar │ ├── Windows_Ransomware_Nightsky.yar │ ├── Windows_Ransomware_Pandora.yar │ ├── Windows_Ransomware_Phobos.yar │ ├── Windows_Ransomware_Ragnarok.yar │ ├── Windows_Ransomware_Ransomexx.yar │ ├── Windows_Ransomware_Rook.yar │ ├── Windows_Ransomware_Royal.yar │ ├── Windows_Ransomware_Ryuk.yar │ ├── Windows_Ransomware_Snake.yar │ ├── Windows_Ransomware_Sodinokibi.yar │ ├── Windows_Ransomware_Stop.yar │ ├── Windows_Ransomware_Thanos.yar │ ├── Windows_Ransomware_WannaCry.yar │ ├── Windows_Ransomware_WhisperGate.yar │ ├── Windows_Rootkit_R77.yar │ ├── Windows_Shellcode_Generic.yar │ ├── Windows_Trojan_A310logger.yar │ ├── Windows_Trojan_AgentTesla.yar │ ├── Windows_Trojan_Amadey.yar │ ├── Windows_Trojan_ArkeiStealer.yar │ ├── Windows_Trojan_Asyncrat.yar │ ├── Windows_Trojan_AveMaria.yar │ ├── Windows_Trojan_Azorult.yar │ ├── Windows_Trojan_Babylonrat.yar │ ├── Windows_Trojan_Backoff.yar │ ├── Windows_Trojan_Bandook.yar │ ├── Windows_Trojan_Bazar.yar │ ├── Windows_Trojan_Beam.yar │ ├── Windows_Trojan_Bitrat.yar │ ├── Windows_Trojan_BlackShades.yar │ ├── Windows_Trojan_Blister.yar │ ├── Windows_Trojan_BruteRatel.yar │ ├── Windows_Trojan_Buerloader.yar │ ├── Windows_Trojan_Bughatch.yar │ ├── Windows_Trojan_Bumblebee.yar │ ├── Windows_Trojan_CaesarKbd.yar │ ├── Windows_Trojan_Carberp.yar │ ├── Windows_Trojan_Clipbanker.yar │ ├── Windows_Trojan_CobaltStrike.yar │ ├── Windows_Trojan_Cryptbot.yar │ ├── Windows_Trojan_CyberGate.yar │ ├── Windows_Trojan_DBatLoader.yar │ ├── Windows_Trojan_DCRat.yar │ ├── Windows_Trojan_Danabot.yar │ ├── Windows_Trojan_DarkVNC.yar │ ├── Windows_Trojan_Darkcomet.yar │ ├── Windows_Trojan_Deimos.yar │ ├── Windows_Trojan_DiamondFox.yar │ ├── Windows_Trojan_Diceloader.yar │ ├── Windows_Trojan_Donutloader.yar │ ├── Windows_Trojan_DoorMe.yar │ ├── Windows_Trojan_DoubleBack.yar │ ├── Windows_Trojan_Dridex.yar │ ├── Windows_Trojan_Emotet.yar │ ├── Windows_Trojan_Farfli.yar │ ├── Windows_Trojan_Fickerstealer.yar │ ├── Windows_Trojan_Formbook.yar │ ├── Windows_Trojan_Garble.yar │ ├── Windows_Trojan_Generic.yar │ ├── Windows_Trojan_Gh0st.yar │ ├── Windows_Trojan_Glupteba.yar │ ├── Windows_Trojan_Gozi.yar │ ├── Windows_Trojan_Guloader.yar │ ├── Windows_Trojan_Hancitor.yar │ ├── Windows_Trojan_Hawkeye.yar │ ├── Windows_Trojan_IcedID.yar │ ├── Windows_Trojan_JesterStealer.yar │ ├── Windows_Trojan_Jupyter.yar │ ├── Windows_Trojan_Kronos.yar │ ├── Windows_Trojan_Limerat.yar │ ├── Windows_Trojan_Lokibot.yar │ ├── Windows_Trojan_Lucifer.yar │ ├── Windows_Trojan_Lurker.yar │ ├── Windows_Trojan_MassLogger.yar │ ├── Windows_Trojan_Matanbuchus.yar │ ├── Windows_Trojan_Merlin.yar │ ├── Windows_Trojan_Metasploit.yar │ ├── Windows_Trojan_MicroBackdoor.yar │ ├── Windows_Trojan_Nanocore.yar │ ├── Windows_Trojan_NapListener.yar │ ├── Windows_Trojan_Netwire.yar │ ├── Windows_Trojan_Njrat.yar │ ├── Windows_Trojan_Octopus.yar │ ├── Windows_Trojan_OnlyLogger.yar │ ├── Windows_Trojan_OskiStealer.yar │ ├── Windows_Trojan_Pandastealer.yar │ ├── Windows_Trojan_Parallax.yar │ ├── Windows_Trojan_Phoreal.yar │ ├── Windows_Trojan_Pingpull.yar │ ├── Windows_Trojan_PipeDance.yar │ ├── Windows_Trojan_Pony.yar │ ├── Windows_Trojan_PrivateLoader.yar │ ├── Windows_Trojan_ProtectS.yar │ ├── Windows_Trojan_Qbot.yar │ ├── Windows_Trojan_Quasarrat.yar │ ├── Windows_Trojan_Raccoon.yar │ ├── Windows_Trojan_RedLineStealer.yar │ ├── Windows_Trojan_Remcos.yar │ ├── Windows_Trojan_Remotemanipulator.yar │ ├── Windows_Trojan_Revcoderat.yar │ ├── Windows_Trojan_Revengerat.yar │ ├── Windows_Trojan_SVCReady.yar │ ├── Windows_Trojan_ServHelper.yar │ ├── Windows_Trojan_ShadowPad.yar │ ├── Windows_Trojan_SiestaGraph.yar │ ├── Windows_Trojan_Smokeloader.yar │ ├── Windows_Trojan_SnakeKeylogger.yar │ ├── Windows_Trojan_SomniRecord.yar │ ├── Windows_Trojan_Squirrelwaffle.yar │ ├── Windows_Trojan_StormKitty.yar │ ├── Windows_Trojan_SuddenIcon.yar │ ├── Windows_Trojan_SysJoker.yar │ ├── Windows_Trojan_SystemBC.yar │ ├── Windows_Trojan_Tofsee.yar │ ├── Windows_Trojan_Trickbot.yar │ ├── Windows_Trojan_Vidar.yar │ ├── Windows_Trojan_WhisperGate.yar │ ├── Windows_Trojan_Xpertrat.yar │ ├── Windows_Trojan_XtremeRAT.yar │ ├── Windows_Trojan_Zeus.yar │ ├── Windows_Trojan_Zloader.yar │ ├── Windows_VulnDriver_ATSZIO.yar │ ├── Windows_VulnDriver_Amifldrv.yar │ ├── Windows_VulnDriver_ArPot.yar │ ├── Windows_VulnDriver_AsIo.yar │ ├── Windows_VulnDriver_Asrock.yar │ ├── Windows_VulnDriver_Atillk.yar │ ├── Windows_VulnDriver_BSMI.yar │ ├── Windows_VulnDriver_Biostar.yar │ ├── Windows_VulnDriver_Cpuz.yar │ ├── Windows_VulnDriver_DBUtil.yar │ ├── Windows_VulnDriver_DirectIo.yar │ ├── Windows_VulnDriver_Elby.yar │ ├── Windows_VulnDriver_EneIo.yar │ ├── Windows_VulnDriver_Fidpci.yar │ ├── Windows_VulnDriver_GDrv.yar │ ├── Windows_VulnDriver_GlckIo.yar │ ├── Windows_VulnDriver_Gvci.yar │ ├── Windows_VulnDriver_HpPortIo.yar │ ├── Windows_VulnDriver_Iqvw.yar │ ├── Windows_VulnDriver_LLAccess.yar │ ├── Windows_VulnDriver_Lha.yar │ ├── Windows_VulnDriver_MarvinHW.yar │ ├── Windows_VulnDriver_Mhyprot.yar │ ├── Windows_VulnDriver_MicroStar.yar │ ├── Windows_VulnDriver_MsIo.yar │ ├── Windows_VulnDriver_MtcBsv.yar │ ├── Windows_VulnDriver_PowerProfiler.yar │ ├── Windows_VulnDriver_PowerTool.yar │ ├── Windows_VulnDriver_ProcExp.yar │ ├── Windows_VulnDriver_ProcId.yar │ ├── Windows_VulnDriver_RtCore.yar │ ├── Windows_VulnDriver_Rtkio.yar │ ├── Windows_VulnDriver_Ryzen.yar │ ├── Windows_VulnDriver_Sandra.yar │ ├── Windows_VulnDriver_Segwin.yar │ ├── Windows_VulnDriver_Speedfan.yar │ ├── Windows_VulnDriver_TmComm.yar │ ├── Windows_VulnDriver_ToshibaBios.yar │ ├── Windows_VulnDriver_VBox.yar │ ├── Windows_VulnDriver_Viragt.yar │ ├── Windows_VulnDriver_Vmdrv.yar │ ├── Windows_VulnDriver_WinFlash.yar │ ├── Windows_VulnDriver_WinIo.yar │ ├── Windows_VulnDriver_XTier.yar │ ├── Windows_VulnDriver_Zam.yar │ ├── Windows_Wiper_CaddyWiper.yar │ ├── Windows_Wiper_DoubleZero.yar │ ├── Windows_Wiper_HermeticWiper.yar │ └── Windows_Wiper_IsaacWiper.yar ├── wx.png ├── yara_scanner ├── config.json ├── yara_rules │ └── es_rules │ │ ├── Multi_AttackSimulation_Blindspot.yar │ │ ├── Multi_EICAR.yar │ │ ├── Multi_Ransomware_BlackCat.yar │ │ ├── Multi_Ransomware_Luna.yar │ │ ├── Multi_Trojan_Coreimpact.yar │ │ ├── Multi_Trojan_Sliver.yar │ │ ├── Windows_AttackSimulation_Hovercraft.yar │ │ ├── Windows_Backdoor_DragonCastling.yar │ │ ├── Windows_Backdoor_Goldbackdoor.yar │ │ ├── Windows_Backdoor_TeamViewer.yar │ │ ├── Windows_Cryptominer_Generic.yar │ │ ├── Windows_Exploit_Dcom.yar │ │ ├── Windows_Exploit_Eternalblue.yar │ │ ├── Windows_Exploit_Log4j.yar │ │ ├── Windows_Hacktool_BlackBone.yar │ │ ├── Windows_Hacktool_Capcom.yar │ │ ├── Windows_Hacktool_CheatEngine.yar │ │ ├── Windows_Hacktool_CpuLocker.yar │ │ ├── Windows_Hacktool_DarkLoadLibrary.yar │ │ ├── Windows_Hacktool_Dcsyncer.yar │ │ ├── Windows_Hacktool_Gmer.yar │ │ ├── Windows_Hacktool_Havoc.yar │ │ ├── Windows_Hacktool_LeiGod.yar │ │ ├── Windows_Hacktool_Mimikatz.yar │ │ ├── Windows_Hacktool_Nighthawk.yar │ │ ├── Windows_Hacktool_PhysMem.yar │ │ ├── Windows_Hacktool_ProcessHacker.yar │ │ ├── Windows_Hacktool_RWEverything.yar │ │ ├── Windows_Hacktool_Rubeus.yar │ │ ├── Windows_Hacktool_SafetyKatz.yar │ │ ├── Windows_Hacktool_Seatbelt.yar │ │ ├── Windows_Hacktool_SharPersist.yar │ │ ├── Windows_Hacktool_SharpAppLocker.yar │ │ ├── Windows_Hacktool_SharpChromium.yar │ │ ├── Windows_Hacktool_SharpDump.yar │ │ ├── Windows_Hacktool_SharpHound.yar │ │ ├── Windows_Hacktool_SharpLAPS.yar │ │ ├── Windows_Hacktool_SharpMove.yar │ │ ├── Windows_Hacktool_SharpRDP.yar │ │ ├── Windows_Hacktool_SharpShares.yar │ │ ├── Windows_Hacktool_SharpStay.yar │ │ ├── Windows_Hacktool_SharpUp.yar │ │ ├── Windows_Hacktool_SharpView.yar │ │ ├── Windows_Hacktool_SharpWMI.yar │ │ ├── Windows_Hacktool_WinPEAS_ng.yar │ │ ├── Windows_PUP_Veriato.yar │ │ ├── Windows_Ransomware_Avoslocker.yar │ │ ├── Windows_Ransomware_Bitpaymer.yar │ │ ├── Windows_Ransomware_BlackBasta.yar │ │ ├── Windows_Ransomware_Blackmatter.yar │ │ ├── Windows_Ransomware_Clop.yar │ │ ├── Windows_Ransomware_Conti.yar │ │ ├── Windows_Ransomware_Cuba.yar │ │ ├── Windows_Ransomware_Darkside.yar │ │ ├── Windows_Ransomware_Dharma.yar │ │ ├── Windows_Ransomware_Doppelpaymer.yar │ │ ├── Windows_Ransomware_Egregor.yar │ │ ├── Windows_Ransomware_Generic.yar │ │ ├── Windows_Ransomware_Grief.yar │ │ ├── Windows_Ransomware_Haron.yar │ │ ├── Windows_Ransomware_Hellokitty.yar │ │ ├── Windows_Ransomware_Helloxd.yar │ │ ├── Windows_Ransomware_Hive.yar │ │ ├── Windows_Ransomware_Lockbit.yar │ │ ├── Windows_Ransomware_Lockfile.yar │ │ ├── Windows_Ransomware_Magniber.yar │ │ ├── Windows_Ransomware_Makop.yar │ │ ├── Windows_Ransomware_Maui.yar │ │ ├── Windows_Ransomware_Maze.yar │ │ ├── Windows_Ransomware_Mespinoza.yar │ │ ├── Windows_Ransomware_Mountlocker.yar │ │ ├── Windows_Ransomware_Nightsky.yar │ │ ├── Windows_Ransomware_Pandora.yar │ │ ├── Windows_Ransomware_Phobos.yar │ │ ├── Windows_Ransomware_Ragnarok.yar │ │ ├── Windows_Ransomware_Ransomexx.yar │ │ ├── Windows_Ransomware_Rook.yar │ │ ├── Windows_Ransomware_Royal.yar │ │ ├── Windows_Ransomware_Ryuk.yar │ │ ├── Windows_Ransomware_Snake.yar │ │ ├── Windows_Ransomware_Sodinokibi.yar │ │ ├── Windows_Ransomware_Stop.yar │ │ ├── Windows_Ransomware_Thanos.yar │ │ ├── Windows_Ransomware_WannaCry.yar │ │ ├── Windows_Ransomware_WhisperGate.yar │ │ ├── Windows_Rootkit_R77.yar │ │ ├── Windows_Shellcode_Generic.yar │ │ ├── Windows_Trojan_A310logger.yar │ │ ├── Windows_Trojan_AgentTesla.yar │ │ ├── Windows_Trojan_Amadey.yar │ │ ├── Windows_Trojan_ArkeiStealer.yar │ │ ├── Windows_Trojan_Asyncrat.yar │ │ ├── Windows_Trojan_AveMaria.yar │ │ ├── Windows_Trojan_Azorult.yar │ │ ├── Windows_Trojan_Babylonrat.yar │ │ ├── Windows_Trojan_Backoff.yar │ │ ├── Windows_Trojan_Bandook.yar │ │ ├── Windows_Trojan_Bazar.yar │ │ ├── Windows_Trojan_Beam.yar │ │ ├── Windows_Trojan_Bitrat.yar │ │ ├── Windows_Trojan_BlackShades.yar │ │ ├── Windows_Trojan_Blister.yar │ │ ├── Windows_Trojan_BruteRatel.yar │ │ ├── Windows_Trojan_Buerloader.yar │ │ ├── Windows_Trojan_Bughatch.yar │ │ ├── Windows_Trojan_Bumblebee.yar │ │ ├── Windows_Trojan_CaesarKbd.yar │ │ ├── Windows_Trojan_Carberp.yar │ │ ├── Windows_Trojan_Clipbanker.yar │ │ ├── Windows_Trojan_CobaltStrike.yar │ │ ├── Windows_Trojan_Cryptbot.yar │ │ ├── Windows_Trojan_CyberGate.yar │ │ ├── Windows_Trojan_DBatLoader.yar │ │ ├── Windows_Trojan_DCRat.yar │ │ ├── Windows_Trojan_Danabot.yar │ │ ├── Windows_Trojan_DarkVNC.yar │ │ ├── Windows_Trojan_Darkcomet.yar │ │ ├── Windows_Trojan_Deimos.yar │ │ ├── Windows_Trojan_DiamondFox.yar │ │ ├── Windows_Trojan_Diceloader.yar │ │ ├── Windows_Trojan_Donutloader.yar │ │ ├── Windows_Trojan_DoorMe.yar │ │ ├── Windows_Trojan_DoubleBack.yar │ │ ├── Windows_Trojan_Dridex.yar │ │ ├── Windows_Trojan_Emotet.yar │ │ ├── Windows_Trojan_Farfli.yar │ │ ├── Windows_Trojan_Fickerstealer.yar │ │ ├── Windows_Trojan_Formbook.yar │ │ ├── Windows_Trojan_Garble.yar │ │ ├── Windows_Trojan_Generic.yar │ │ ├── Windows_Trojan_Gh0st.yar │ │ ├── Windows_Trojan_Glupteba.yar │ │ ├── Windows_Trojan_Gozi.yar │ │ ├── Windows_Trojan_Guloader.yar │ │ ├── Windows_Trojan_Hancitor.yar │ │ ├── Windows_Trojan_Hawkeye.yar │ │ ├── Windows_Trojan_IcedID.yar │ │ ├── Windows_Trojan_JesterStealer.yar │ │ ├── Windows_Trojan_Jupyter.yar │ │ ├── Windows_Trojan_Kronos.yar │ │ ├── Windows_Trojan_Limerat.yar │ │ ├── Windows_Trojan_Lokibot.yar │ │ ├── Windows_Trojan_Lucifer.yar │ │ ├── Windows_Trojan_Lurker.yar │ │ ├── Windows_Trojan_MassLogger.yar │ │ ├── Windows_Trojan_Matanbuchus.yar │ │ ├── Windows_Trojan_Merlin.yar │ │ ├── Windows_Trojan_Metasploit.yar │ │ ├── Windows_Trojan_MicroBackdoor.yar │ │ ├── Windows_Trojan_Nanocore.yar │ │ ├── Windows_Trojan_NapListener.yar │ │ ├── Windows_Trojan_Netwire.yar │ │ ├── Windows_Trojan_Njrat.yar │ │ ├── Windows_Trojan_Octopus.yar │ │ ├── Windows_Trojan_OnlyLogger.yar │ │ ├── Windows_Trojan_OskiStealer.yar │ │ ├── Windows_Trojan_Pandastealer.yar │ │ ├── Windows_Trojan_Parallax.yar │ │ ├── Windows_Trojan_Phoreal.yar │ │ ├── Windows_Trojan_Pingpull.yar │ │ ├── Windows_Trojan_PipeDance.yar │ │ ├── Windows_Trojan_Pony.yar │ │ ├── Windows_Trojan_PrivateLoader.yar │ │ ├── Windows_Trojan_ProtectS.yar │ │ ├── Windows_Trojan_Qbot.yar │ │ ├── Windows_Trojan_Quasarrat.yar │ │ ├── Windows_Trojan_Raccoon.yar │ │ ├── Windows_Trojan_RedLineStealer.yar │ │ ├── Windows_Trojan_Remcos.yar │ │ ├── Windows_Trojan_Remotemanipulator.yar │ │ ├── Windows_Trojan_Revcoderat.yar │ │ ├── Windows_Trojan_Revengerat.yar │ │ ├── Windows_Trojan_SVCReady.yar │ │ ├── Windows_Trojan_ServHelper.yar │ │ ├── Windows_Trojan_ShadowPad.yar │ │ ├── Windows_Trojan_SiestaGraph.yar │ │ ├── Windows_Trojan_Smokeloader.yar │ │ ├── Windows_Trojan_SnakeKeylogger.yar │ │ ├── Windows_Trojan_SomniRecord.yar │ │ ├── Windows_Trojan_Squirrelwaffle.yar │ │ ├── Windows_Trojan_StormKitty.yar │ │ ├── Windows_Trojan_SuddenIcon.yar │ │ ├── Windows_Trojan_SysJoker.yar │ │ ├── Windows_Trojan_SystemBC.yar │ │ ├── Windows_Trojan_Tofsee.yar │ │ ├── Windows_Trojan_Trickbot.yar │ │ ├── Windows_Trojan_Vidar.yar │ │ ├── Windows_Trojan_WhisperGate.yar │ │ ├── Windows_Trojan_Xpertrat.yar │ │ ├── Windows_Trojan_XtremeRAT.yar │ │ ├── Windows_Trojan_Zeus.yar │ │ ├── Windows_Trojan_Zloader.yar │ │ ├── Windows_VulnDriver_ATSZIO.yar │ │ ├── Windows_VulnDriver_Amifldrv.yar │ │ ├── Windows_VulnDriver_ArPot.yar │ │ ├── Windows_VulnDriver_AsIo.yar │ │ ├── Windows_VulnDriver_Asrock.yar │ │ ├── Windows_VulnDriver_Atillk.yar │ │ ├── Windows_VulnDriver_BSMI.yar │ │ ├── Windows_VulnDriver_Biostar.yar │ │ ├── Windows_VulnDriver_Cpuz.yar │ │ ├── Windows_VulnDriver_DBUtil.yar │ │ ├── Windows_VulnDriver_DirectIo.yar │ │ ├── Windows_VulnDriver_Elby.yar │ │ ├── Windows_VulnDriver_EneIo.yar │ │ ├── Windows_VulnDriver_Fidpci.yar │ │ ├── Windows_VulnDriver_GDrv.yar │ │ ├── Windows_VulnDriver_GlckIo.yar │ │ ├── Windows_VulnDriver_Gvci.yar │ │ ├── Windows_VulnDriver_HpPortIo.yar │ │ ├── Windows_VulnDriver_Iqvw.yar │ │ ├── Windows_VulnDriver_LLAccess.yar │ │ ├── Windows_VulnDriver_Lha.yar │ │ ├── Windows_VulnDriver_MarvinHW.yar │ │ ├── Windows_VulnDriver_Mhyprot.yar │ │ ├── Windows_VulnDriver_MicroStar.yar │ │ ├── Windows_VulnDriver_MsIo.yar │ │ ├── Windows_VulnDriver_MtcBsv.yar │ │ ├── Windows_VulnDriver_PowerProfiler.yar │ │ ├── Windows_VulnDriver_PowerTool.yar │ │ ├── Windows_VulnDriver_ProcExp.yar │ │ ├── Windows_VulnDriver_ProcId.yar │ │ ├── Windows_VulnDriver_RtCore.yar │ │ ├── Windows_VulnDriver_Rtkio.yar │ │ ├── Windows_VulnDriver_Ryzen.yar │ │ ├── Windows_VulnDriver_Sandra.yar │ │ ├── Windows_VulnDriver_Segwin.yar │ │ ├── Windows_VulnDriver_Speedfan.yar │ │ ├── Windows_VulnDriver_TmComm.yar │ │ ├── Windows_VulnDriver_ToshibaBios.yar │ │ ├── Windows_VulnDriver_VBox.yar │ │ ├── Windows_VulnDriver_Viragt.yar │ │ ├── Windows_VulnDriver_Vmdrv.yar │ │ ├── Windows_VulnDriver_WinFlash.yar │ │ ├── Windows_VulnDriver_WinIo.yar │ │ ├── Windows_VulnDriver_XTier.yar │ │ ├── Windows_VulnDriver_Zam.yar │ │ ├── Windows_Wiper_CaddyWiper.yar │ │ ├── Windows_Wiper_DoubleZero.yar │ │ ├── Windows_Wiper_HermeticWiper.yar │ │ └── Windows_Wiper_IsaacWiper.yar └── yara_scanner.exe └── yara_scanner_beta ├── config.json ├── yara_rules ├── Yara-Rules │ ├── cve_rules │ │ ├── CVE-2010-0805.yar │ │ ├── CVE-2010-0887.yar │ │ ├── CVE-2010-1297.yar │ │ ├── CVE-2012-0158.yar │ │ ├── CVE-2013-0074.yar │ │ ├── CVE-2013-0422.yar │ │ ├── CVE-2015-1701.yar │ │ ├── CVE-2015-2426.yar │ │ ├── CVE-2015-2545.yar │ │ ├── CVE-2015-5119.yar │ │ ├── CVE-2016-5195.yar │ │ ├── CVE-2017-11882.yar │ │ ├── CVE-2018-20250.yar │ │ └── CVE-2018-4878.yar │ ├── exploit_kits │ │ ├── EK_Angler.yar │ │ ├── EK_Blackhole.yar │ │ ├── EK_BleedingLife.yar │ │ ├── EK_Crimepack.yar │ │ ├── EK_Eleonore.yar │ │ ├── EK_Fragus.yar │ │ ├── EK_Phoenix.yar │ │ ├── EK_Sakura.yar │ │ ├── EK_ZeroAcces.yar │ │ ├── EK_Zerox88.yar │ │ └── EK_Zeus.yar │ └── webshells │ │ ├── WShell_APT_Laudanum.yar │ │ ├── WShell_ASPXSpy.yar │ │ ├── WShell_ChinaChopper.yar │ │ ├── WShell_Drupalgeddon2_icos.yar │ │ ├── WShell_PHP_Anuna.yar │ │ ├── WShell_PHP_in_images.yar │ │ ├── WShell_THOR_Webshells.yar │ │ ├── Wshell_ChineseSpam.yar │ │ └── Wshell_fire2013.yar ├── es_rules │ ├── Multi_AttackSimulation_Blindspot.yar │ ├── Multi_EICAR.yar │ ├── Multi_Ransomware_BlackCat.yar │ ├── Multi_Ransomware_Luna.yar │ ├── Multi_Trojan_Coreimpact.yar │ ├── Multi_Trojan_Sliver.yar │ ├── Windows_AttackSimulation_Hovercraft.yar │ ├── Windows_Backdoor_DragonCastling.yar │ ├── Windows_Backdoor_Goldbackdoor.yar │ ├── Windows_Backdoor_TeamViewer.yar │ ├── Windows_Cryptominer_Generic.yar │ ├── Windows_Exploit_Dcom.yar │ ├── Windows_Exploit_Eternalblue.yar │ ├── Windows_Exploit_Log4j.yar │ ├── Windows_Hacktool_BlackBone.yar │ ├── Windows_Hacktool_Capcom.yar │ ├── Windows_Hacktool_CheatEngine.yar │ ├── Windows_Hacktool_CpuLocker.yar │ ├── Windows_Hacktool_DarkLoadLibrary.yar │ ├── Windows_Hacktool_Dcsyncer.yar │ ├── Windows_Hacktool_Gmer.yar │ ├── Windows_Hacktool_Havoc.yar │ ├── Windows_Hacktool_LeiGod.yar │ ├── Windows_Hacktool_Mimikatz.yar │ ├── Windows_Hacktool_Nighthawk.yar │ ├── Windows_Hacktool_PhysMem.yar │ ├── Windows_Hacktool_ProcessHacker.yar │ ├── Windows_Hacktool_RWEverything.yar │ ├── Windows_Hacktool_Rubeus.yar │ ├── Windows_Hacktool_SafetyKatz.yar │ ├── Windows_Hacktool_Seatbelt.yar │ ├── Windows_Hacktool_SharPersist.yar │ ├── Windows_Hacktool_SharpAppLocker.yar │ ├── Windows_Hacktool_SharpChromium.yar │ ├── Windows_Hacktool_SharpDump.yar │ ├── Windows_Hacktool_SharpHound.yar │ ├── Windows_Hacktool_SharpLAPS.yar │ ├── Windows_Hacktool_SharpMove.yar │ ├── Windows_Hacktool_SharpRDP.yar │ ├── Windows_Hacktool_SharpShares.yar │ ├── Windows_Hacktool_SharpStay.yar │ ├── Windows_Hacktool_SharpUp.yar │ ├── Windows_Hacktool_SharpView.yar │ ├── Windows_Hacktool_SharpWMI.yar │ ├── Windows_Hacktool_WinPEAS_ng.yar │ ├── Windows_PUP_Veriato.yar │ ├── Windows_Ransomware_Avoslocker.yar │ ├── Windows_Ransomware_Bitpaymer.yar │ ├── Windows_Ransomware_BlackBasta.yar │ ├── Windows_Ransomware_Blackmatter.yar │ ├── Windows_Ransomware_Clop.yar │ ├── Windows_Ransomware_Conti.yar │ ├── Windows_Ransomware_Cuba.yar │ ├── Windows_Ransomware_Darkside.yar │ ├── Windows_Ransomware_Dharma.yar │ ├── Windows_Ransomware_Doppelpaymer.yar │ ├── Windows_Ransomware_Egregor.yar │ ├── Windows_Ransomware_Generic.yar │ ├── Windows_Ransomware_Grief.yar │ ├── Windows_Ransomware_Haron.yar │ ├── Windows_Ransomware_Hellokitty.yar │ ├── Windows_Ransomware_Helloxd.yar │ ├── Windows_Ransomware_Hive.yar │ ├── Windows_Ransomware_Lockbit.yar │ ├── Windows_Ransomware_Lockfile.yar │ ├── Windows_Ransomware_Magniber.yar │ ├── Windows_Ransomware_Makop.yar │ ├── Windows_Ransomware_Maui.yar │ ├── Windows_Ransomware_Maze.yar │ ├── Windows_Ransomware_Mespinoza.yar │ ├── Windows_Ransomware_Mountlocker.yar │ ├── Windows_Ransomware_Nightsky.yar │ ├── Windows_Ransomware_Pandora.yar │ ├── Windows_Ransomware_Phobos.yar │ ├── Windows_Ransomware_Ragnarok.yar │ ├── Windows_Ransomware_Ransomexx.yar │ ├── Windows_Ransomware_Rook.yar │ ├── Windows_Ransomware_Royal.yar │ ├── Windows_Ransomware_Ryuk.yar │ ├── Windows_Ransomware_Snake.yar │ ├── Windows_Ransomware_Sodinokibi.yar │ ├── Windows_Ransomware_Stop.yar │ ├── Windows_Ransomware_Thanos.yar │ ├── Windows_Ransomware_WannaCry.yar │ ├── Windows_Ransomware_WhisperGate.yar │ ├── Windows_Rootkit_R77.yar │ ├── Windows_Shellcode_Generic.yar │ ├── Windows_Trojan_A310logger.yar │ ├── Windows_Trojan_AgentTesla.yar │ ├── Windows_Trojan_Amadey.yar │ ├── Windows_Trojan_ArkeiStealer.yar │ ├── Windows_Trojan_Asyncrat.yar │ ├── Windows_Trojan_AveMaria.yar │ ├── Windows_Trojan_Azorult.yar │ ├── Windows_Trojan_Babylonrat.yar │ ├── Windows_Trojan_Backoff.yar │ ├── Windows_Trojan_Bandook.yar │ ├── Windows_Trojan_Bazar.yar │ ├── Windows_Trojan_Beam.yar │ ├── Windows_Trojan_Bitrat.yar │ ├── Windows_Trojan_BlackShades.yar │ ├── Windows_Trojan_Blister.yar │ ├── Windows_Trojan_BruteRatel.yar │ ├── Windows_Trojan_Buerloader.yar │ ├── Windows_Trojan_Bughatch.yar │ ├── Windows_Trojan_Bumblebee.yar │ ├── Windows_Trojan_CaesarKbd.yar │ ├── Windows_Trojan_Carberp.yar │ ├── Windows_Trojan_Clipbanker.yar │ ├── Windows_Trojan_CobaltStrike.yar │ ├── Windows_Trojan_Cryptbot.yar │ ├── Windows_Trojan_CyberGate.yar │ ├── Windows_Trojan_DBatLoader.yar │ ├── Windows_Trojan_DCRat.yar │ ├── Windows_Trojan_Danabot.yar │ ├── Windows_Trojan_DarkVNC.yar │ ├── Windows_Trojan_Darkcomet.yar │ ├── Windows_Trojan_Deimos.yar │ ├── Windows_Trojan_DiamondFox.yar │ ├── Windows_Trojan_Diceloader.yar │ ├── Windows_Trojan_Donutloader.yar │ ├── Windows_Trojan_DoorMe.yar │ ├── Windows_Trojan_DoubleBack.yar │ ├── Windows_Trojan_Dridex.yar │ ├── Windows_Trojan_Emotet.yar │ ├── Windows_Trojan_Farfli.yar │ ├── Windows_Trojan_Fickerstealer.yar │ ├── Windows_Trojan_Formbook.yar │ ├── Windows_Trojan_Garble.yar │ ├── Windows_Trojan_Generic.yar │ ├── Windows_Trojan_Gh0st.yar │ ├── Windows_Trojan_Glupteba.yar │ ├── Windows_Trojan_Gozi.yar │ ├── Windows_Trojan_Guloader.yar │ ├── Windows_Trojan_Hancitor.yar │ ├── Windows_Trojan_Hawkeye.yar │ ├── Windows_Trojan_IcedID.yar │ ├── Windows_Trojan_JesterStealer.yar │ ├── Windows_Trojan_Jupyter.yar │ ├── Windows_Trojan_Kronos.yar │ ├── Windows_Trojan_Limerat.yar │ ├── Windows_Trojan_Lokibot.yar │ ├── Windows_Trojan_Lucifer.yar │ ├── Windows_Trojan_Lurker.yar │ ├── Windows_Trojan_MassLogger.yar │ ├── Windows_Trojan_Matanbuchus.yar │ ├── Windows_Trojan_Merlin.yar │ ├── Windows_Trojan_Metasploit.yar │ ├── Windows_Trojan_MicroBackdoor.yar │ ├── Windows_Trojan_Nanocore.yar │ ├── Windows_Trojan_NapListener.yar │ ├── Windows_Trojan_Netwire.yar │ ├── Windows_Trojan_Njrat.yar │ ├── Windows_Trojan_Octopus.yar │ ├── Windows_Trojan_OnlyLogger.yar │ ├── Windows_Trojan_OskiStealer.yar │ ├── Windows_Trojan_Pandastealer.yar │ ├── Windows_Trojan_Parallax.yar │ ├── Windows_Trojan_Phoreal.yar │ ├── Windows_Trojan_Pingpull.yar │ ├── Windows_Trojan_PipeDance.yar │ ├── Windows_Trojan_Pony.yar │ ├── Windows_Trojan_PrivateLoader.yar │ ├── Windows_Trojan_ProtectS.yar │ ├── Windows_Trojan_Qbot.yar │ ├── Windows_Trojan_Quasarrat.yar │ ├── Windows_Trojan_Raccoon.yar │ ├── Windows_Trojan_RedLineStealer.yar │ ├── Windows_Trojan_Remcos.yar │ ├── Windows_Trojan_Remotemanipulator.yar │ ├── Windows_Trojan_Revcoderat.yar │ ├── Windows_Trojan_Revengerat.yar │ ├── Windows_Trojan_SVCReady.yar │ ├── Windows_Trojan_ServHelper.yar │ ├── Windows_Trojan_ShadowPad.yar │ ├── Windows_Trojan_SiestaGraph.yar │ ├── Windows_Trojan_Smokeloader.yar │ ├── Windows_Trojan_SnakeKeylogger.yar │ ├── Windows_Trojan_SomniRecord.yar │ ├── Windows_Trojan_Squirrelwaffle.yar │ ├── Windows_Trojan_StormKitty.yar │ ├── Windows_Trojan_SuddenIcon.yar │ ├── Windows_Trojan_SysJoker.yar │ ├── Windows_Trojan_SystemBC.yar │ ├── Windows_Trojan_Tofsee.yar │ ├── Windows_Trojan_Trickbot.yar │ ├── Windows_Trojan_Vidar.yar │ ├── Windows_Trojan_WhisperGate.yar │ ├── Windows_Trojan_Xpertrat.yar │ ├── Windows_Trojan_XtremeRAT.yar │ ├── Windows_Trojan_Zeus.yar │ ├── Windows_Trojan_Zloader.yar │ ├── Windows_VulnDriver_ATSZIO.yar │ ├── Windows_VulnDriver_Amifldrv.yar │ ├── Windows_VulnDriver_ArPot.yar │ ├── Windows_VulnDriver_AsIo.yar │ ├── Windows_VulnDriver_Asrock.yar │ ├── Windows_VulnDriver_Atillk.yar │ ├── Windows_VulnDriver_BSMI.yar │ ├── Windows_VulnDriver_Biostar.yar │ ├── Windows_VulnDriver_Cpuz.yar │ ├── Windows_VulnDriver_DBUtil.yar │ ├── Windows_VulnDriver_DirectIo.yar │ ├── Windows_VulnDriver_Elby.yar │ ├── Windows_VulnDriver_EneIo.yar │ ├── Windows_VulnDriver_Fidpci.yar │ ├── Windows_VulnDriver_GDrv.yar │ ├── Windows_VulnDriver_GlckIo.yar │ ├── Windows_VulnDriver_Gvci.yar │ ├── Windows_VulnDriver_HpPortIo.yar │ ├── Windows_VulnDriver_Iqvw.yar │ ├── Windows_VulnDriver_LLAccess.yar │ ├── Windows_VulnDriver_Lha.yar │ ├── Windows_VulnDriver_MarvinHW.yar │ ├── Windows_VulnDriver_Mhyprot.yar │ ├── Windows_VulnDriver_MicroStar.yar │ ├── Windows_VulnDriver_MsIo.yar │ ├── Windows_VulnDriver_MtcBsv.yar │ ├── Windows_VulnDriver_PowerProfiler.yar │ ├── Windows_VulnDriver_PowerTool.yar │ ├── Windows_VulnDriver_ProcExp.yar │ ├── Windows_VulnDriver_ProcId.yar │ ├── Windows_VulnDriver_RtCore.yar │ ├── Windows_VulnDriver_Rtkio.yar │ ├── Windows_VulnDriver_Ryzen.yar │ ├── Windows_VulnDriver_Sandra.yar │ ├── Windows_VulnDriver_Segwin.yar │ ├── Windows_VulnDriver_Speedfan.yar │ ├── Windows_VulnDriver_TmComm.yar │ ├── Windows_VulnDriver_ToshibaBios.yar │ ├── Windows_VulnDriver_VBox.yar │ ├── Windows_VulnDriver_Viragt.yar │ ├── Windows_VulnDriver_Vmdrv.yar │ ├── Windows_VulnDriver_WinFlash.yar │ ├── Windows_VulnDriver_WinIo.yar │ ├── Windows_VulnDriver_XTier.yar │ ├── Windows_VulnDriver_Zam.yar │ ├── Windows_Wiper_CaddyWiper.yar │ ├── Windows_Wiper_DoubleZero.yar │ ├── Windows_Wiper_HermeticWiper.yar │ └── Windows_Wiper_IsaacWiper.yar └── reversinglabs │ ├── backdoor │ └── Win64.Backdoor.Minodo.yara │ ├── certificate │ └── blocklist.yara │ ├── downloader │ └── Win32.Downloader.dlMarlboro.yara │ ├── exploit │ └── Win32.Exploit.CVE20200601.yara │ ├── infostealer │ ├── Win32.Infostealer.MultigrainPOS.yara │ ├── Win32.Infostealer.ProjectHookPOS.yara │ └── Win32.Infostealer.StealC.yara │ ├── pua │ └── Win32.PUA.Domaiq.yara │ ├── ransomware │ ├── ByteCode.MSIL.Ransomware.Apis.yara │ ├── ByteCode.MSIL.Ransomware.ChupaCabra.yara │ ├── ByteCode.MSIL.Ransomware.Cring.yara │ ├── ByteCode.MSIL.Ransomware.Dusk.yara │ ├── ByteCode.MSIL.Ransomware.EAF.yara │ ├── ByteCode.MSIL.Ransomware.Eternity.yara │ ├── ByteCode.MSIL.Ransomware.Fantom.yara │ ├── ByteCode.MSIL.Ransomware.GhosTEncryptor.yara │ ├── ByteCode.MSIL.Ransomware.Ghostbin.yara │ ├── ByteCode.MSIL.Ransomware.GoodWill.yara │ ├── ByteCode.MSIL.Ransomware.HarpoonLocker.yara │ ├── ByteCode.MSIL.Ransomware.Hog.yara │ ├── ByteCode.MSIL.Ransomware.Invert.yara │ ├── ByteCode.MSIL.Ransomware.Janelle.yara │ ├── ByteCode.MSIL.Ransomware.Khonsari.yara │ ├── ByteCode.MSIL.Ransomware.McBurglar.yara │ ├── ByteCode.MSIL.Ransomware.Moisha.yara │ ├── ByteCode.MSIL.Ransomware.Namaste.yara │ ├── ByteCode.MSIL.Ransomware.Oct.yara │ ├── ByteCode.MSIL.Ransomware.Pacman.yara │ ├── ByteCode.MSIL.Ransomware.PoliceRecords.yara │ ├── ByteCode.MSIL.Ransomware.Povlsomware.yara │ ├── ByteCode.MSIL.Ransomware.Retis.yara │ ├── ByteCode.MSIL.Ransomware.TaRRaK.yara │ ├── ByteCode.MSIL.Ransomware.Thanos.yara │ ├── ByteCode.MSIL.Ransomware.TimeCrypt.yara │ ├── ByteCode.MSIL.Ransomware.TimeTime.yara │ ├── ByteCode.MSIL.Ransomware.Venom.yara │ ├── ByteCode.MSIL.Ransomware.WildFire.yara │ ├── ByteCode.MSIL.Ransomware.WormLocker.yara │ ├── ByteCode.MSIL.Ransomware.ZeroLocker.yara │ ├── Bytecode.MSIL.Ransomware.CobraLocker.yara │ ├── Linux.Ransomware.GwisinLocker.yara │ ├── Linux.Ransomware.KillDisk.yara │ ├── Linux.Ransomware.LuckyJoe.yara │ ├── Linux.Ransomware.RedAlert.yara │ ├── Win32.Ransomware.5ss5c.yara │ ├── Win32.Ransomware.ASN1Encoder.yara │ ├── Win32.Ransomware.Acepy.yara │ ├── Win32.Ransomware.Afrodita.yara │ ├── Win32.Ransomware.Ako.yara │ ├── Win32.Ransomware.Alcatraz.yara │ ├── Win32.Ransomware.AnteFrigus.yara │ ├── Win32.Ransomware.Archiveus.yara │ ├── Win32.Ransomware.Armage.yara │ ├── Win32.Ransomware.Atlas.yara │ ├── Win32.Ransomware.Avaddon.yara │ ├── Win32.Ransomware.AvosLocker.yara │ ├── Win32.Ransomware.BKRansomware.yara │ ├── Win32.Ransomware.Babuk.yara │ ├── Win32.Ransomware.BadBlock.yara │ ├── Win32.Ransomware.Badbeeteam.yara │ ├── Win32.Ransomware.Balaclava.yara │ ├── Win32.Ransomware.Bam2021.yara │ ├── Win32.Ransomware.BananaCrypt.yara │ ├── Win32.Ransomware.BandarChor.yara │ ├── Win32.Ransomware.BitCrypt.yara │ ├── Win32.Ransomware.BlackBasta.yara │ ├── Win32.Ransomware.BlackCat.yara │ ├── Win32.Ransomware.BlackMoon.yara │ ├── Win32.Ransomware.Blitzkrieg.yara │ ├── Win32.Ransomware.BlueLocker.yara │ ├── Win32.Ransomware.BrainCrypt.yara │ ├── Win32.Ransomware.Buran.yara │ ├── Win32.Ransomware.ChiChi.yara │ ├── Win32.Ransomware.Cincoo.yara │ ├── Win32.Ransomware.Clop.yara │ ├── Win32.Ransomware.Conti.yara │ ├── Win32.Ransomware.Cryakl.yara │ ├── Win32.Ransomware.Crypmic.yara │ ├── Win32.Ransomware.Crypren.yara │ ├── Win32.Ransomware.CryptoBit.yara │ ├── Win32.Ransomware.CryptoFortress.yara │ ├── Win32.Ransomware.CryptoJoker.yara │ ├── Win32.Ransomware.CryptoLocker.yara │ ├── Win32.Ransomware.CryptoWall.yara │ ├── Win32.Ransomware.Crysis.yara │ ├── Win32.Ransomware.Cuba.yara │ ├── Win32.Ransomware.DMALocker.yara │ ├── Win32.Ransomware.DMR.yara │ ├── Win32.Ransomware.DarkSide.yara │ ├── Win32.Ransomware.DearCry.yara │ ├── Win32.Ransomware.Defray.yara │ ├── Win32.Ransomware.Delphimorix.yara │ ├── Win32.Ransomware.DenizKizi.yara │ ├── Win32.Ransomware.DesuCrypt.yara │ ├── Win32.Ransomware.Dharma.yara │ ├── Win32.Ransomware.DirtyDecrypt.yara │ ├── Win32.Ransomware.District.yara │ ├── Win32.Ransomware.DogeCrypt.yara │ ├── Win32.Ransomware.Dragon.yara │ ├── Win32.Ransomware.Dualshot.yara │ ├── Win32.Ransomware.Encoded01.yara │ ├── Win32.Ransomware.Erica.yara │ ├── Win32.Ransomware.FCT.yara │ ├── Win32.Ransomware.FLKR.yara │ ├── Win32.Ransomware.FarAttack.yara │ ├── Win32.Ransomware.FenixLocker.yara │ ├── Win32.Ransomware.Ferrlock.yara │ ├── Win32.Ransomware.Flamingo.yara │ ├── Win32.Ransomware.FuxSocy.yara │ ├── Win32.Ransomware.GPGQwerty.yara │ ├── Win32.Ransomware.GandCrab.yara │ ├── Win32.Ransomware.GarrantyDecrypt.yara │ ├── Win32.Ransomware.Gibon.yara │ ├── Win32.Ransomware.GlobeImposter.yara │ ├── Win32.Ransomware.Gomer.yara │ ├── Win32.Ransomware.Good.yara │ ├── Win32.Ransomware.Gpcode.yara │ ├── Win32.Ransomware.GusCrypter.yara │ ├── Win32.Ransomware.HDDCryptor.yara │ ├── Win32.Ransomware.HDMR.yara │ ├── Win32.Ransomware.HakunaMatata.yara │ ├── Win32.Ransomware.Henry.yara │ ├── Win32.Ransomware.HentaiOniichan.yara │ ├── Win32.Ransomware.Hermes.yara │ ├── Win32.Ransomware.Horsedeal.yara │ ├── Win32.Ransomware.HowAreYou.yara │ ├── Win32.Ransomware.HydraCrypt.yara │ ├── Win32.Ransomware.IFN643.yara │ ├── Win32.Ransomware.InfoDot.yara │ ├── Win32.Ransomware.JSWorm.yara │ ├── Win32.Ransomware.Jamper.yara │ ├── Win32.Ransomware.Jemd.yara │ ├── Win32.Ransomware.Jormungand.yara │ ├── Win32.Ransomware.JuicyLemon.yara │ ├── Win32.Ransomware.Kangaroo.yara │ ├── Win32.Ransomware.KawaiiLocker.yara │ ├── Win32.Ransomware.KillDisk.yara │ ├── Win32.Ransomware.Knot.yara │ ├── Win32.Ransomware.Kovter.yara │ ├── Win32.Ransomware.Koxic.yara │ ├── Win32.Ransomware.Kraken.yara │ ├── Win32.Ransomware.Ladon.yara │ ├── Win32.Ransomware.LeChiffre.yara │ ├── Win32.Ransomware.LockBit.yara │ ├── Win32.Ransomware.Lolkek.yara │ ├── Win32.Ransomware.LooCipher.yara │ ├── Win32.Ransomware.Lorenz.yara │ ├── Win32.Ransomware.MRAC.yara │ ├── Win32.Ransomware.MZP.yara │ ├── Win32.Ransomware.Mafia.yara │ ├── Win32.Ransomware.Magniber.yara │ ├── Win32.Ransomware.Major.yara │ ├── Win32.Ransomware.Makop.yara │ ├── Win32.Ransomware.Maktub.yara │ ├── Win32.Ransomware.Marlboro.yara │ ├── Win32.Ransomware.MarsJoke.yara │ ├── Win32.Ransomware.Matsnu.yara │ ├── Win32.Ransomware.MedusaLocker.yara │ ├── Win32.Ransomware.Meow.yara │ ├── Win32.Ransomware.Monalisa.yara │ ├── Win32.Ransomware.Montserrat.yara │ ├── Win32.Ransomware.Motocos.yara │ ├── Win32.Ransomware.MountLocker.yara │ ├── Win32.Ransomware.NB65.yara │ ├── Win32.Ransomware.NanoLocker.yara │ ├── Win32.Ransomware.Nefilim.yara │ ├── Win32.Ransomware.Nemty.yara │ ├── Win32.Ransomware.Networm.yara │ ├── Win32.Ransomware.NotPetya.yara │ ├── Win32.Ransomware.Oni.yara │ ├── Win32.Ransomware.OphionLocker.yara │ ├── Win32.Ransomware.Ouroboros.yara │ ├── Win32.Ransomware.Outsider.yara │ ├── Win32.Ransomware.PXJ.yara │ ├── Win32.Ransomware.Paradise.yara │ ├── Win32.Ransomware.Pay2Key.yara │ ├── Win32.Ransomware.Petya.yara │ ├── Win32.Ransomware.Plague17.yara │ ├── Win32.Ransomware.PrincessLocker.yara │ ├── Win32.Ransomware.Prometey.yara │ ├── Win32.Ransomware.RagnarLocker.yara │ ├── Win32.Ransomware.Ragnarok.yara │ ├── Win32.Ransomware.Ransoc.yara │ ├── Win32.Ransomware.RansomPlus.yara │ ├── Win32.Ransomware.Ransomexx.yara │ ├── Win32.Ransomware.Redeemer.yara │ ├── Win32.Ransomware.RegretLocker.yara │ ├── Win32.Ransomware.RetMyData.yara │ ├── Win32.Ransomware.Reveton.yara │ ├── Win32.Ransomware.Revil.yara │ ├── Win32.Ransomware.Rokku.yara │ ├── Win32.Ransomware.Ryuk.yara │ ├── Win32.Ransomware.Sage.yara │ ├── Win32.Ransomware.Sanwai.yara │ ├── Win32.Ransomware.Sarbloh.yara │ ├── Win32.Ransomware.Satan.yara │ ├── Win32.Ransomware.Satana.yara │ ├── Win32.Ransomware.Saturn.yara │ ├── Win32.Ransomware.Sepsis.yara │ ├── Win32.Ransomware.Serpent.yara │ ├── Win32.Ransomware.SevenSevenSeven.yara │ ├── Win32.Ransomware.ShadowCryptor.yara │ ├── Win32.Ransomware.Sherminator.yara │ ├── Win32.Ransomware.Sifrelendi.yara │ ├── Win32.Ransomware.Sifreli.yara │ ├── Win32.Ransomware.Sigrun.yara │ ├── Win32.Ransomware.Skystars.yara │ ├── Win32.Ransomware.Spora.yara │ ├── Win32.Ransomware.TBLocker.yara │ ├── Win32.Ransomware.TargetCompany.yara │ ├── Win32.Ransomware.TechandStrat.yara │ ├── Win32.Ransomware.TeleCrypt.yara │ ├── Win32.Ransomware.Termite.yara │ ├── Win32.Ransomware.Teslacrypt.yara │ ├── Win32.Ransomware.Teslarvng.yara │ ├── Win32.Ransomware.Thanatos.yara │ ├── Win32.Ransomware.TorrentLocker.yara │ ├── Win32.Ransomware.VHDLocker.yara │ ├── Win32.Ransomware.VegaLocker.yara │ ├── Win32.Ransomware.Velso.yara │ ├── Win32.Ransomware.WannaCry.yara │ ├── Win32.Ransomware.WaspLocker.yara │ ├── Win32.Ransomware.Wastedlocker.yara │ ├── Win32.Ransomware.WinWord64.yara │ ├── Win32.Ransomware.WsIR.yara │ ├── Win32.Ransomware.Xorist.yara │ ├── Win32.Ransomware.Zeoticus.yara │ ├── Win32.Ransomware.Zeppelin.yara │ ├── Win32.Ransomware.ZeroCrypt.yara │ ├── Win32.Ransomware.Zhen.yara │ ├── Win32.Ransomware.Zoldon.yara │ ├── Win64.Ransomware.Ako.yara │ ├── Win64.Ransomware.AntiWar.yara │ ├── Win64.Ransomware.AwesomeScott.yara │ ├── Win64.Ransomware.BlackBasta.yara │ ├── Win64.Ransomware.Curator.yara │ ├── Win64.Ransomware.DST.yara │ ├── Win64.Ransomware.HermeticRansom.yara │ ├── Win64.Ransomware.HotCoffee.yara │ ├── Win64.Ransomware.Nokoyawa.yara │ ├── Win64.Ransomware.Pandora.yara │ ├── Win64.Ransomware.RedRoman.yara │ ├── Win64.Ransomware.Rook.yara │ ├── Win64.Ransomware.SeedLocker.yara │ ├── Win64.Ransomware.Seth.yara │ ├── Win64.Ransomware.Solaso.yara │ ├── Win64.Ransomware.Vovalex.yara │ ├── Win64.Ransomware.WhiteBlackCrypt.yara │ └── Win64.Ransomware.Wintenzz.yara │ ├── trojan │ ├── Win32.Trojan.CaddyWiper.yara │ ├── Win32.Trojan.Dridex.yara │ ├── Win32.Trojan.Emotet.yara │ ├── Win32.Trojan.HermeticWiper.yara │ ├── Win32.Trojan.IsaacWiper.yara │ └── Win32.Trojan.TrickBot.yara │ └── virus │ ├── Linux.Virus.Vit.yara │ ├── Win32.Virus.Awfull.yara │ ├── Win32.Virus.Cmay.yara │ ├── Win32.Virus.DeadCode.yara │ ├── Win32.Virus.Elerad.yara │ ├── Win32.Virus.Greenp.yara │ ├── Win32.Virus.Mocket.yara │ └── Win32.Virus.Negt.yara └── yara_scanner.exe /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.out 31 | *.app 32 | -------------------------------------------------------------------------------- /door_scanner/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "apikey": "", 3 | "max_file_limit": 10737418240 4 | } 5 | -------------------------------------------------------------------------------- /door_scanner/door_scanner_2022_10_20.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoomaSec/RmTools/db80cb3f19c2f378e4cb6c0d2b3960ff0db0ea45/door_scanner/door_scanner_2022_10_20.exe -------------------------------------------------------------------------------- /door_scanner/door_scanner_2022_8_26.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoomaSec/RmTools/db80cb3f19c2f378e4cb6c0d2b3960ff0db0ea45/door_scanner/door_scanner_2022_8_26.exe -------------------------------------------------------------------------------- /door_scanner/door_scanner_2023_8_3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoomaSec/RmTools/db80cb3f19c2f378e4cb6c0d2b3960ff0db0ea45/door_scanner/door_scanner_2023_8_3.exe -------------------------------------------------------------------------------- /door_scanner/offline_scan.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import csv 3 | scanned_hash = [] 4 | headers = { 5 | 'apikey': "你的API key" 6 | } 7 | 8 | 9 | def check_file(hash): 10 | url = "https://api.metadefender.com/v4/hash/" + hash 11 | response = requests.request("GET", url, headers=headers) 12 | if response.text.find("Infected") > 0: 13 | print("file info:", response.text) 14 | scanned_hash.append(hash) 15 | return True 16 | return False 17 | 18 | 19 | csvfile = open('./shimcache.csv', 'r') 20 | lines = csvfile.readlines() 21 | for line in lines: 22 | # strip the first "," 23 | # 你得自己改一下位置可能不同的csv文件位置不一样 24 | filehash = line.split(",")[1] 25 | if filehash in scanned_hash or filehash == None or filehash == "": 26 | continue 27 | print("scan:", filehash) 28 | if check_file(filehash): 29 | print("Found virs: ", line) 30 | -------------------------------------------------------------------------------- /memory_scanner/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "apikey": "", 3 | "ioc_scan_dll": 0, 4 | "max_file_limit": 5002400 5 | } 6 | -------------------------------------------------------------------------------- /memory_scanner/memory_scanner.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoomaSec/RmTools/db80cb3f19c2f378e4cb6c0d2b3960ff0db0ea45/memory_scanner/memory_scanner.exe -------------------------------------------------------------------------------- /memory_scanner/memory_scanner_2024_5_27.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoomaSec/RmTools/db80cb3f19c2f378e4cb6c0d2b3960ff0db0ea45/memory_scanner/memory_scanner_2024_5_27.exe -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Multi_AttackSimulation_Blindspot.yar: -------------------------------------------------------------------------------- 1 | rule Multi_AttackSimulation_Blindspot_d93f54c5 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "d93f54c5-6574-4999-a3c0-39ef688b28dc" 5 | fingerprint = "4ec38f841aa4dfe32b1f6b6cd2e361c7298839ef1e983061cb90827135f34a58" 6 | creation_date = "2022-05-23" 7 | last_modified = "2022-08-16" 8 | threat_name = "Multi.AttackSimulation.Blindspot" 9 | severity = 1 10 | arch_context = "x86, arm64" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "multi" 14 | strings: 15 | $a = "\\\\.\\pipe\\blindspot-%d." 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Multi_EICAR.yar: -------------------------------------------------------------------------------- 1 | rule Multi_EICAR_ac8f42d6 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ac8f42d6-52da-46ec-8db1-5a5f69222a38" 5 | fingerprint = "bb0e0bdf70ec65d98f652e2428e3567013d5413f2725a2905b372fd18da8b9dd" 6 | creation_date = "2021-01-21" 7 | last_modified = "2022-01-13" 8 | threat_name = "Multi.EICAR.Not-a-virus" 9 | severity = 1 10 | arch_context = "x86, arm64" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "multi" 14 | strings: 15 | $a = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ascii fullword 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Multi_Trojan_Coreimpact.yar: -------------------------------------------------------------------------------- 1 | rule Multi_Trojan_Coreimpact_37703dc3 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "37703dc3-9485-4026-a8b7-82e753993757" 5 | fingerprint = "5a4d7af7d0fecc05f87ba51f976d78e77622f8afb1eafc175444f45839490109" 6 | creation_date = "2022-08-10" 7 | last_modified = "2022-09-29" 8 | threat_name = "Multi.Trojan.Coreimpact" 9 | reference_sample = "2d954908da9f63cd3942c0df2e8bb5fe861ac5a336ddef2bd0a977cebe030ad7" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "multi" 15 | strings: 16 | $str1 = "Uh, oh, exit() failed" fullword 17 | $str2 = "agent_recv" fullword 18 | $str3 = "needroot" fullword 19 | $str4 = "time is running backwards, corrected" fullword 20 | $str5 = "junk pointer, too low to make sense" fullword 21 | condition: 22 | 3 of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_AttackSimulation_Hovercraft.yar: -------------------------------------------------------------------------------- 1 | rule Windows_AttackSimulation_Hovercraft_f5c7178f { 2 | meta: 3 | author = "Elastic Security" 4 | id = "f5c7178f-9a3f-463d-96a7-0a82cbed9ba2" 5 | fingerprint = "8965ab173fd09582c9e77e7c54c9722b91b71ecbe42c4f8a8cc87d9a780ffe8c" 6 | creation_date = "2022-05-23" 7 | last_modified = "2022-07-18" 8 | threat_name = "Windows.AttackSimulation.Hovercraft" 9 | reference = "046645b2a646c83b4434a893a0876ea9bd51ae05e70d4e72f2ccc648b0f18cb6" 10 | severity = 1 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "MyHovercraftIsFullOfEels" wide fullword 17 | $a2 = "WinHttp.dll" fullword 18 | condition: 19 | all of them 20 | } 21 | 22 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Cryptominer_Generic.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Cryptominer_Generic_dd1e4d1a { 2 | meta: 3 | author = "Elastic Security" 4 | id = "dd1e4d1a-2e2f-4af0-bd66-2e12367dd064" 5 | fingerprint = "a00e3e08e11d10a7a4bf1110a5110e4d0a4d2acf0974aca9dfc1ad5f21c80df7" 6 | creation_date = "2021-01-12" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Cryptominer.Generic" 9 | reference_sample = "7ac1d7b6107307fb2442522604c8fa56010d931392d606ac74dcea6b7125954b" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { EF F9 66 0F EF FA 66 0F FE FE 66 0F 6F B0 B0 00 00 00 66 0F } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Exploit_Dcom.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Exploit_Dcom_7a1bcec7 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "7a1bcec7-e177-4adf-97a7-0d876bf65abc" 5 | fingerprint = "0abae84599e490056412d5a5ce1868ea118551243377d59cbb6ebd83701769b8" 6 | creation_date = "2021-01-12" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Exploit.Dcom" 9 | reference_sample = "84073caf71d0e0523adeb96169c85b8f0bfea09e7ef3bf677bfc19d3b536d8a5" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 20 62 79 20 46 6C 61 73 68 53 6B 79 20 61 6E 64 20 42 65 6E } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Exploit_Eternalblue.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Exploit_Eternalblue_ead33bf8 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ead33bf8-1870-4d01-a223-edcbe262542f" 5 | fingerprint = "9e3b5f4f0b8ac683544886abbd9eecbf0253a7992ee5d99c453de67b9aacdccd" 6 | creation_date = "2021-01-12" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Exploit.Eternalblue" 9 | reference_sample = "a1340e418c80be58fb6bbb48d4e363de8c6d62ea59730817d5eda6ba17b2c7a7" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { F8 31 C9 EB 0B 40 8A 3C 0E 40 88 3C 08 48 FF C1 48 39 D1 75 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Exploit_Log4j.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Exploit_Log4j_dbac7698 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "dbac7698-906c-44a2-9795-f04ec07d7fcc" 5 | fingerprint = "cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159" 6 | creation_date = "2021-12-13" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Exploit.Log4j" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $jndi1 = "jndi.ldap.LdapCtx.c_lookup" 16 | $jndi2 = "logging.log4j.core.lookup.JndiLookup.lookup" 17 | $jndi3 = "com.sun.jndi.url.ldap.ldapURLContext.lookup" 18 | $exp1 = "Basic/Command/Base64/" 19 | $exp2 = "java.lang.ClassCastException: Exploit" 20 | $exp3 = "WEB-INF/classes/Exploit" 21 | $exp4 = "Exploit.java" 22 | condition: 23 | 2 of ($jndi*) and 1 of ($exp*) 24 | } 25 | 26 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Hacktool_BlackBone.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_BlackBone_2ff5ec38 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "2ff5ec38-ce35-432a-8ffa-d459f84438dd" 5 | fingerprint = "e3df60931c040081214296f006d98e155a5dc7e285a840a1decb23186ef67465" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.Hacktool.BlackBone" 9 | reference_sample = "4e3887f950bff034efedd40f1e949579854a24140128246fa6141f2c34de6017" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "BlackBone: %s: ZwCreateThreadEx hThread 0x%X" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Hacktool_Capcom.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_Capcom_7abae448 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "7abae448-0ebc-433f-b368-0b8560da7197" 5 | fingerprint = "965e85fc3b2a21aef84c7c2bd59708b121d9635ce6bab177014b28fb00102884" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Subject: CAPCOM Co.,Ltd." 9 | threat_name = "Windows.Hacktool.Capcom" 10 | reference_sample = "da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $subject_name = { 06 03 55 04 03 [2] 43 41 50 43 4F 4D 20 43 6F 2E 2C 4C 74 64 2E } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $subject_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Hacktool_CheatEngine.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_CheatEngine_fedac96d { 2 | meta: 3 | author = "Elastic Security" 4 | id = "fedac96d-4c23-4c8d-8476-4c89fd610441" 5 | fingerprint = "94d375ddab90c27ef22dd18b98952d0ec8a4d911151970d5b9f59654a8e3d7db" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Subject: Cheat Engine" 9 | threat_name = "Windows.Hacktool.CheatEngine" 10 | reference_sample = "b20b339a7b61dc7dbc9a36c45492ba9654a8b8a7c8cbc202ed1dfed427cfd799" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $subject_name = { 06 03 55 04 03 [2] 43 68 65 61 74 20 45 6E 67 69 6E 65 } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $subject_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Hacktool_CpuLocker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_CpuLocker_73b41444 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "73b41444-4c17-4fea-b440-fe7b0a086a7f" 5 | fingerprint = "3f90517fbeafdccd37e4b8ab0316a91dd18a911cb1f4ffcd4686ab912a0feab4" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.Hacktool.CpuLocker" 9 | reference_sample = "dbfc90fa2c5dc57899cc75ccb9dc7b102cb4556509cdfecde75b36f602d7da66" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\CPULocker.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Hacktool_Gmer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_Gmer_8aabdd5e { 2 | meta: 3 | author = "Elastic Security" 4 | id = "8aabdd5e-1ce7-4257-abaa-8d02dc6856a6" 5 | fingerprint = "960721d4d111a670907fe7d3ce01dfd134ad03a2d8440a945c75a7d46de46238" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.Hacktool.Gmer" 9 | reference_sample = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\gmer64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Hacktool_ProcessHacker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_ProcessHacker_3d01069e { 2 | meta: 3 | author = "Elastic Security" 4 | id = "3d01069e-7afb-4da0-b7ac-23f90db26495" 5 | fingerprint = "5d6a0835ac6c0548292ff11741428d7b2f4421ead6d9e2ca35379cbceb6ee68c" 6 | creation_date = "2022-03-30" 7 | last_modified = "2022-03-30" 8 | threat_name = "Windows.Hacktool.ProcessHacker" 9 | reference_sample = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $original_file_name = "OriginalFilename\x00kprocesshacker.sys" wide fullword 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $original_file_name 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Hacktool_RWEverything.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_RWEverything_da67eda7 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "da67eda7-1455-4231-8de5-040d5f0dfd6f" 5 | fingerprint = "078971f0c67b24a7fb321fa64ecfd4e4c3b9785961eea042cc5f9f1cd9e699af" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Subject: ChongKim Chan" 9 | threat_name = "Windows.Hacktool.RWEverything" 10 | reference_sample = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $subject_name = { 06 03 55 04 03 [2] 43 68 6F 6E 67 4B 69 6D 20 43 68 61 6E } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $subject_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_PUP_Veriato.yar: -------------------------------------------------------------------------------- 1 | rule Windows_PUP_Veriato_fae5978c { 2 | meta: 3 | author = "Elastic Security" 4 | id = "fae5978c-f26c-4215-9407-d16e492ab5c1" 5 | fingerprint = "8d351cdd11d6dddc76cd89e7de9e65b28ef5c8183db804b2a450095e2f3214e5" 6 | creation_date = "2022-06-08" 7 | last_modified = "2022-09-29" 8 | threat_name = "Windows.PUP.Veriato" 9 | reference_sample = "53f09e60b188e67cdbf28bda669728a1f83d47b0279debf3d0a8d5176479d17f" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $s1 = "InitializeDll" fullword 17 | $a1 = "C:\\Windows\\winipbin\\svrltmgr.dll" fullword 18 | $a2 = "C:\\Windows\\winipbin\\svrltmgr64.dll" fullword 19 | condition: 20 | $s1 and ($a1 or $a2) 21 | } 22 | 23 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Ransomware_Avoslocker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Avoslocker_7ae4d4f2 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "7ae4d4f2-be5f-4aad-baaa-4182ff9cf996" 5 | fingerprint = "0e5ff268ed2b62f9d31df41192135145094849a4e6891407568c3ea27ebf66bb" 6 | creation_date = "2021-07-28" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Ransomware.Avoslocker" 9 | reference_sample = "43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "drive %s took %f seconds" ascii fullword 17 | $a2 = "client_rsa_priv: %s" ascii fullword 18 | $a3 = "drive: %s" ascii fullword 19 | $a4 = "Map: %s" ascii fullword 20 | $a5 = "encrypting %ls failed" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Ransomware_Conti.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Conti_89f3f6fa { 2 | meta: 3 | author = "Elastic Security" 4 | id = "89f3f6fa-492c-40e3-a4aa-a526004197b2" 5 | fingerprint = "a82331eba3cbd52deb4bed5e11035ac1e519ec27931507f582f2985865c0fb1a" 6 | creation_date = "2021-08-05" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Ransomware.Conti" 9 | reference_sample = "eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { F7 FE 88 57 FF 83 EB 01 75 DA 8B 45 FC 5F 5B 40 5E 8B E5 5D C3 8D } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Ransomware_Lockfile.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Lockfile_74185716 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "74185716-e79d-4d63-b6ae-9480f24dcd4f" 5 | fingerprint = "849a0fb5a2e08b2d32db839a7fdbde03a184a48726678e65e7f8452b354a3ca8" 6 | creation_date = "2021-08-31" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Ransomware.Lockfile" 9 | reference_sample = "bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "LOCKFILE-README" 17 | $a2 = "wmic process where \"name like '%virtualbox%'\" call terminate" 18 | $a3 = "" 19 | $a4 = ".lockfile" 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Ransomware_Mespinoza.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Mespinoza_3adb59f5 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "3adb59f5-a4af-48f2-8029-874a62b23651" 5 | fingerprint = "f44a79048427e79d339d3b0ccaeb85ba6731d5548256a2615f32970dcf67578f" 6 | creation_date = "2021-08-05" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Ransomware.Mespinoza" 9 | reference_sample = "6f3cd5f05ab4f404c78bab92f705c91d967b31a9b06017d910af312fa87ae3d6" 10 | severity = 90 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Don't try to use backups because it were encrypted too." ascii fullword 17 | $a2 = "Every byte on any types of your devices was encrypted." ascii fullword 18 | $a3 = "n.pysa" wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Ransomware_Pandora.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Pandora_bca8ce23 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "bca8ce23-6722-4cda-b5fa-623eda4fca1b" 5 | fingerprint = "0da732f6bdf24f35dee3c1bf85435650a5ce9b5c6a93f01176659943c01ad711" 6 | creation_date = "2022-03-14" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Ransomware.Pandora" 9 | reference_sample = "2c940a35025dd3847f7c954a282f65e9c2312d2ada28686f9d1dc73d1c500224" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "/c vssadmin.exe delete shadows /all /quiet" wide fullword 17 | $a2 = "\\Restore_My_Files.txt" wide fullword 18 | $a3 = ".pandora" wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Ransomware_Ransomexx.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Ransomexx_fabff49c { 2 | meta: 3 | author = "Elastic Security" 4 | id = "fabff49c-8e1a-4020-b081-2f432532e529" 5 | fingerprint = "a7a1e6d5fafdddc7d4699710edf407653968ffd40747c50f26ef63a6cb623bbe" 6 | creation_date = "2021-08-07" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Ransomware.Ransomexx" 9 | reference_sample = "480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "ransom.exx" ascii fullword 17 | $a2 = "Infrastructure rebuild will cost you MUCH more." wide fullword 18 | $a3 = "Your files are securely ENCRYPTED." wide fullword 19 | $a4 = "delete catalog -quiet" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Ransomware_Rook.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Rook_ee21fa67 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ee21fa67-bd82-40fb-9c6d-bab5abfe14b3" 5 | fingerprint = "8ef731590e73f79a13d04db39e58b03d0a29fd8e46a0584b0fcaf57ac0efe473" 6 | creation_date = "2022-01-14" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Ransomware.Rook" 9 | reference_sample = "c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 01 75 09 8B C3 FF C3 48 89 74 C5 F0 48 FF C7 48 83 FF 1A 7C DB } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Ransomware_Royal.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Royal_b7d42109 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "b7d42109-f327-4ec3-86ac-d1ebb9478860" 5 | fingerprint = "ff518f25b39b02769b67c437f38958d14e4e8f50b91f4c73591203da297a5d2a" 6 | creation_date = "2022-11-04" 7 | last_modified = "2022-12-20" 8 | threat_name = "Windows.Ransomware.Royal" 9 | reference_sample = "491c2b32095174b9de2fd799732a6f84878c2e23b9bb560cd3155cbdc65e2b80" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Try Royal today and enter the new era of data security" ascii fullword 17 | $a2 = "If you are reading this, it means that your system were hit by Royal ransomware." ascii fullword 18 | $a3 = "http://royal" 19 | $a4 = "\\README.TXT" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Ransomware_Stop.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Stop_1e8d48ff { 2 | meta: 3 | author = "Elastic Security" 4 | id = "1e8d48ff-e0ab-478d-8268-a11f2e87ab79" 5 | fingerprint = "715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb" 6 | creation_date = "2021-06-10" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Ransomware.Stop" 9 | reference_sample = "821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = "E:\\Doc\\My work (C++)\\_Git\\Encryption\\Release\\encrypt_win_api.pdb" ascii fullword 17 | $b = { 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF } 18 | condition: 19 | any of them 20 | } 21 | 22 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Rootkit_R77.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Rootkit_R77_5bab748b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "5bab748b-8576-4967-9b50-a3778db1dd71" 5 | fingerprint = "2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa" 6 | creation_date = "2022-03-04" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Rootkit.R77" 9 | reference_sample = "cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_A310logger.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_A310logger_520cd7ec { 2 | meta: 3 | author = "Elastic Security" 4 | id = "520cd7ec-840c-4d45-961b-8bc5e329c52f" 5 | fingerprint = "f4ee88e555b7bd0102403cc804372f5376debc59555e8e7b4a16e18b04d1b314" 6 | creation_date = "2022-01-11" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.A310logger" 9 | reference_sample = "60fb9597e5843c72d761525f73ca728409579d81901860981ebd84f7d153cfa3" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "/dumps9taw" ascii fullword 17 | $a2 = "/logstatus" ascii fullword 18 | $a3 = "/checkprotection" ascii fullword 19 | $a4 = "[CLIPBOARD]<<" wide fullword 20 | $a5 = "&chat_id=" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_ArkeiStealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_ArkeiStealer_84c7086a { 2 | meta: 3 | author = "Elastic Security" 4 | id = "84c7086a-abc3-4b97-b325-46a078b90a95" 5 | fingerprint = "f1d701463b0001de8996b30d2e36ddecb93fe4ca2a1a26fc4fcdaeb0aa3a3d6d" 6 | creation_date = "2022-02-17" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.ArkeiStealer" 9 | reference_sample = "708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 01 89 55 F4 8B 45 F4 3B 45 10 73 31 8B 4D 08 03 4D F4 0F BE 19 8B } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Babylonrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Babylonrat_0f66e73b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "0f66e73b-7824-46b6-a9e6-5abf018c9ffa" 5 | fingerprint = "3998824e381f51aaa2c81c12d4c05157c642d8aef39982e35fa3e124191640ea" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Babylonrat" 9 | reference_sample = "4278064ec50f87bb0471053c068b13955ed9d599434e687a64bf2060438a7511" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "BabylonRAT" wide fullword 17 | $a2 = "Babylon RAT Client" wide fullword 18 | $a3 = "ping 0 & del \"" wide fullword 19 | $a4 = "\\%Y %m %d - %I %M %p" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Backoff.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Backoff_22798f00 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "22798f00-ff2a-4f5f-a9ef-fab6d04ca679" 5 | fingerprint = "a45fc701844e6e0cfba5d8ef90d00960b5817af66e6b3d889a54d33539cd5d41" 6 | creation_date = "2022-08-10" 7 | last_modified = "2022-09-29" 8 | threat_name = "Windows.Trojan.Backoff" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $str1 = "\\nsskrnl" fullword 16 | $str2 = "Upload KeyLogs" fullword 17 | $str3 = "&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s" fullword 18 | $str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword 19 | $str5 = "\\OracleJava\\Log.txt" fullword 20 | $str6 = "[Ctrl+%c]" fullword 21 | condition: 22 | 3 of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Bandook.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Bandook_38497690 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "38497690-6663-47c9-a864-0bbe6a3f7a8b" 5 | fingerprint = "b6debea805a8952b9b7473ad7347645e4aced3ecde8d6e53fa2d82c35b285b3c" 6 | creation_date = "2022-08-10" 7 | last_modified = "2022-09-29" 8 | threat_name = "Windows.Trojan.Bandook" 9 | reference_sample = "4d079586a51168aac708a9ab7d11a5a49dfe7a16d9ced852fbbc5884020c0c97" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "%s~!%s~!%s~!%s~!%s~!%s~!" 17 | $str2 = "ammyy.abc" 18 | $str3 = "StealUSB" 19 | $str4 = "DisableMouseCapture" 20 | $str5 = "%sSkype\\%s\\config.xml" 21 | $str6 = "AVE_MARIA" 22 | condition: 23 | 3 of them 24 | } 25 | 26 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_CaesarKbd.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_CaesarKbd_32bb198b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "32bb198b-ec03-4628-8e9b-bc36c2525ec7" 5 | fingerprint = "54ed92761bb619ae4dcec9c27127d6c2a74a575916249cd5db24b8deb2ee0588" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-06-09" 8 | threat_name = "Windows.Trojan.CaesarKbd" 9 | reference_sample = "d4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "CaesarKbd_IOCtrl" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Cryptbot.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Cryptbot_489a6562 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "489a6562-870c-4105-9bb7-52ab09e5b09c" 5 | fingerprint = "f4578d79f8923706784e9d55a70ec74051273a945d2b277daa6229724defec3f" 6 | creation_date = "2021-08-18" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Cryptbot" 9 | reference_sample = "423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "/c rd /s /q %Temp%\\" wide fullword 17 | $a2 = "\\_Files\\_AllPasswords_list.txt" wide fullword 18 | $a3 = "\\files_\\cryptocurrency\\log.txt" wide fullword 19 | $a4 = "%wS\\%wS\\%wS.tmp" wide fullword 20 | $a5 = "%AppData%\\waves-exchange" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_DBatLoader.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DBatLoader_f93a8e90 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "f93a8e90-10ac-44de-ac3b-c0e976628e98" 5 | fingerprint = "81b87663fbad9854430e5c4dcade464a15b995e645f9993a3e234593ee4df901" 6 | creation_date = "2022-03-11" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.DBatLoader" 9 | reference_sample = "f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { FF 00 74 17 8B 45 E8 0F B6 7C 18 FF 66 03 7D EC 66 0F AF 7D F4 66 03 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_DarkVNC.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DarkVNC_bd803c2e { 2 | meta: 3 | author = "Elastic Security" 4 | id = "bd803c2e-77bd-4b8c-bdfa-11a9bd54a454" 5 | fingerprint = "131f4b3ef5b01720a52958058ecc4c3681ed0ca975a1a06cd034d7205680e710" 6 | creation_date = "2023-01-23" 7 | last_modified = "2023-02-01" 8 | threat_name = "Windows.Trojan.DarkVNC" 9 | reference_sample = "0fcc1b02fdaf211c772bd4fa1abcdeb5338d95911c226a9250200ff7f8e45601" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "BOT-%s(%s)_%S-%S%u%u" wide fullword 17 | $a2 = "{%08X-%04X-%04X-%04X-%08X%04X}" wide fullword 18 | $a3 = "monitor_off / monitor_on" ascii fullword 19 | $a4 = "bot_shell >" ascii fullword 20 | $a5 = "keyboard and mouse are blocked !" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Darkcomet.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Darkcomet_1df27bcc { 2 | meta: 3 | author = "Elastic Security" 4 | id = "1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63" 5 | fingerprint = "63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b" 6 | creation_date = "2021-08-16" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Darkcomet" 9 | reference_sample = "7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "BTRESULTHTTP Flood|Http Flood task finished!|" ascii fullword 17 | $a2 = "is now open!|" ascii fullword 18 | $a3 = "ActiveOnlineKeylogger" ascii fullword 19 | $a4 = "#BOT#RunPrompt" ascii fullword 20 | $a5 = "GETMONITORS" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_DiamondFox.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DiamondFox_18bc11e3 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "18bc11e3-5872-40b0-a3b7-cef4b32fac15" 5 | fingerprint = "6f908d11220e218a7b59239ff3cc00c7e273fb46ec99ef7ae37e4aceb4de7831" 6 | creation_date = "2022-03-02" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.DiamondFox" 9 | reference_sample = "a44c46d4b9cf1254aaabd1e689f84c4d2c3dd213597f827acabface03a1ae6d1" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "\\wscript.vbs" wide fullword 17 | $a2 = "\\snapshot.jpg" wide fullword 18 | $a3 = "&soft=" wide fullword 19 | $a4 = "ping -n 4 127.0.0.1 > nul" wide fullword 20 | $a5 = "Select Name from Win32_Process Where Name = '" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Farfli.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Farfli_85d1bcc9 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "85d1bcc9-c3c7-454c-a77f-0e0de933c4c3" 5 | fingerprint = "56a5e4955556d08b80849ea5775f35f5a32999d6b5df92357ab142a4faa74ac3" 6 | creation_date = "2022-02-17" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.Farfli" 9 | reference_sample = "e3e9ea1b547cc235e6f1a78b4ca620c69a54209f84c7de9af17eb5b02e9b58c3" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { AB 66 AB C6 45 D4 25 C6 45 D5 73 C6 45 D6 5C C6 45 D7 25 C6 45 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Garble.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Garble_eae7f2f7 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "eae7f2f7-49b3-427c-9cf3-cce64d772c78" 5 | fingerprint = "b72b8d475ef50a5e703d741f195d8ce0916f46ee5744c5bc7c8d452ab23df388" 6 | creation_date = "2022-06-08" 7 | last_modified = "2022-09-29" 8 | threat_name = "Windows.Trojan.Garble" 9 | reference_sample = "4820a1ec99981e03675a86c4c01acba6838f04945b5f753770b3de4e253e1b8c" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = ".\"G!-$G#-&J%.(G'-*G)-,J+..G--0G/-2J1.4G3-6G5-8J7.:G9-J=+@A?-BAA*DAC*FAE*HFG+JAI-LAK*NAM*PAO*RFQ+TAS-VAU9" 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Gh0st.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Gh0st_ee6de6bc { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ee6de6bc-1648-4a77-9607-e2a211c7bda4" 5 | fingerprint = "3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455" 6 | creation_date = "2021-06-10" 7 | last_modified = "2021-08-23" 8 | description = "Identifies a variant of Gh0st Rat" 9 | threat_name = "Windows.Trojan.Gh0st" 10 | reference_sample = "ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d" 11 | severity = 100 12 | arch_context = "x86" 13 | scan_context = "file, memory" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $a1 = ":]%d-%d-%d %d:%d:%d" ascii fullword 18 | $a2 = "[Pause Break]" ascii fullword 19 | $a3 = "f-secure.exe" ascii fullword 20 | $a4 = "Accept-Language: zh-cn" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Hancitor.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Hancitor_6738d84a { 2 | meta: 3 | author = "Elastic Security" 4 | id = "6738d84a-7393-4db2-97cc-66f471b5699a" 5 | fingerprint = "44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912" 6 | creation_date = "2021-06-17" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Trojan.Hancitor" 9 | reference_sample = "a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d" 17 | $b1 = "Rundll32.exe %s, start" ascii fullword 18 | $b2 = "MASSLoader.dll" ascii fullword 19 | condition: 20 | $a1 or all of ($b*) 21 | } 22 | 23 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Hawkeye.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Hawkeye_77c36ace { 2 | meta: 3 | author = "Elastic Security" 4 | id = "77c36ace-3857-43f8-a6de-596ba7964b6f" 5 | fingerprint = "c9a1c61b4fa78c46d493e1b307e9950bd714ba4e5a6249f15a3b86a74b7638e5" 6 | creation_date = "2021-08-16" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Hawkeye" 9 | reference_sample = "28e28025060f1bafd4eb96c7477cab73497ca2144b52e664b254c616607d94cd" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Logger - Key Recorder - [" wide fullword 17 | $a2 = "http://whatismyipaddress.com/" wide fullword 18 | $a3 = "Keylogger Enabled: " wide fullword 19 | $a4 = "LoadPasswordsSeaMonkey" wide fullword 20 | $a5 = "\\.minecraft\\lastlogin" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Jupyter.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Jupyter_56152e31 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "56152e31-77c6-49fa-bbc5-c3630f11e633" 5 | fingerprint = "9cccc2e3d4cfe9ff090d02b143fa837f4da0c229426435b4e097f902e8c5fb01" 6 | creation_date = "2021-07-22" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Trojan.Jupyter" 9 | reference_sample = "ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "%appdata%\\solarmarker.dat" ascii fullword 17 | $a2 = "\\AppData\\Roaming\\solarmarker.dat" wide fullword 18 | $b1 = "steal_passwords" ascii fullword 19 | $b2 = "jupyter" ascii fullword 20 | condition: 21 | 1 of ($a*) or 2 of ($b*) 22 | } 23 | 24 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Limerat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Limerat_24269a79 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "24269a79-0172-4da5-9b4d-f61327072bf0" 5 | fingerprint = "cb714cd787519216d25edaad9f89a9c0ce1b8fbbbcdf90bda4c79f5d85fdf381" 6 | creation_date = "2021-08-17" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Limerat" 9 | reference_sample = "ec781a714d6bc6fac48d59890d9ae594ffd4dbc95710f2da1f1aa3d5b87b9e01" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr \"'" wide fullword 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Lucifer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Lucifer_ce9d4cc8 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ce9d4cc8-8f16-4272-a54b-e500d4edea9b" 5 | fingerprint = "77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55" 6 | creation_date = "2022-02-17" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.Lucifer" 9 | reference_sample = "1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Lurker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Lurker_0ee51802 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "0ee51802-4ff3-4edf-95ed-bb0338ff25d9" 5 | fingerprint = "c30bc4e25c1984268a3bb44c59081131d1e81254b94734f6af2b47969c0acd0e" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-06-09" 8 | threat_name = "Windows.Trojan.Lurker" 9 | reference_sample = "5718fd4f807e29e48a8b6a6f4484426ba96c61ec8630dc78677686e0c9ba2b87" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\Device\\ZHWLurker0410" wide fullword 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Merlin.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Merlin_e8ecb3be { 2 | meta: 3 | author = "Elastic Security" 4 | id = "e8ecb3be-edba-4617-b4df-9d5b6275d310" 5 | fingerprint = "54e03337930d74568a91e797cfda3b7bfbce3aad29be2543ed58c51728d8e185" 6 | creation_date = "2022-01-05" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.Merlin" 9 | reference_sample = "768c120e63d3960a0842dcc538749955ab7caabaeaf3682f6d1e30666aac65a8" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { AF F0 4C 01 F1 4C 8B B4 24 A8 00 00 00 4D 0F AF F4 4C 01 F1 4C 8B B4 24 B0 00 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Octopus.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Octopus_15813e26 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "15813e26-77f8-46cf-a6a3-ae081925b85a" 5 | fingerprint = "a3294547f7e3cead0cd64eb3d2e7dbd8ccfc4d9eedede240a643c8cd114cbcce" 6 | creation_date = "2021-11-10" 7 | last_modified = "2022-01-13" 8 | description = "Identifies Octopus, an Open source pre-operation C2 server based on Python and PowerShell" 9 | threat_name = "Windows.Trojan.Octopus" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = "C:\\Users\\UNKNOWN\\source\\repos\\OctopusUnmanagedExe\\OctopusUnmanagedExe\\obj\\x64\\Release\\SystemConfiguration.pdb" ascii fullword 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_OskiStealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_OskiStealer_a158b1e3 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "a158b1e3-21b7-4009-9646-6bee9bde98ad" 5 | fingerprint = "3996a89d37494b118654f3713393f415c662850a5a76afa00e83f9611aee3221" 6 | creation_date = "2022-03-21" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.OskiStealer" 9 | reference_sample = "568cd515c9a3bce7ef21520761b02cbfc95d8884d5b2dc38fc352af92356c694" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "\"os_crypt\":{\"encrypted_key\":\"" ascii fullword 17 | $a2 = "%s / %s" ascii fullword 18 | $a3 = "outlook.txt" ascii fullword 19 | $a4 = "GLoX6gmCFw==" ascii fullword 20 | $a5 = "KaoQpEzKSjGm8Q==" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Pandastealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Pandastealer_8b333e76 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "8b333e76-f723-4093-ad72-2f5d42aaa9c9" 5 | fingerprint = "873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Pandastealer" 9 | reference_sample = "ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "] - [user: " ascii fullword 17 | $a2 = "[-] data unpacked failed" ascii fullword 18 | $a3 = "[+] data unpacked" ascii fullword 19 | $a4 = "\\history\\" ascii fullword 20 | $a5 = "PlayerName" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_ProtectS.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_ProtectS_9f6eaa90 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9f6eaa90-b3d4-4f0f-a81e-8010be0a6d36" 5 | fingerprint = "46bf59901876794dcc338923076939d765d3ce7f14d784b9687fbc05461ed6b4" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-06-09" 8 | threat_name = "Windows.Trojan.ProtectS" 9 | reference_sample = "c0330e072b7003f55a3153ac3e0859369b9c3e22779b113284e95ce1e2ce2099" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\ProtectS.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Remcos.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Remcos_b296e965 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "b296e965-a99e-4446-b969-ba233a2a8af4" 5 | fingerprint = "a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d" 6 | creation_date = "2021-06-10" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Trojan.Remcos" 9 | reference_sample = "0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Remcos restarted by watchdog!" ascii fullword 17 | $a2 = "Mutex_RemWatchdog" ascii fullword 18 | $a3 = "%02i:%02i:%02i:%03i" 19 | $a4 = "* Remcos v" ascii fullword 20 | condition: 21 | 2 of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Remotemanipulator.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Remotemanipulator_9ec52153 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9ec52153-3b62-432d-b87c-895035df1a46" 5 | fingerprint = "02220e8af70ecffb3a7585f756c59ef5d9e17e6690c36d6bffc458e1d17dbd0c" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Remotemanipulator" 9 | reference_sample = "1dd15c830c0a159b53ed21b8c2ce1b7e8093256368d7b96c1347c6851ee6c4f6" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "killself.bat" wide fullword 17 | $a2 = "rutserv.exe" wide fullword 18 | $a3 = "rfusclient.exe" wide fullword 19 | $a4 = "install.log" wide fullword 20 | $a5 = "Unable to create Agent's path." wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Revengerat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Revengerat_db91bcc6 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "db91bcc6-024d-42da-8d0a-bd69374bf622" 5 | fingerprint = "9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Revengerat" 9 | reference_sample = "30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Revenge-RAT" wide fullword 17 | $a2 = "SELECT * FROM FirewallProduct" wide fullword 18 | $a3 = "HKEY_CURRENT_USER\\SOFTWARE\\" wide fullword 19 | $a4 = "get_MachineName" ascii fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_WhisperGate.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_WhisperGate_9192618b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9192618b-4f3e-4503-a97f-3c4420fb79e0" 5 | fingerprint = "21f2a5b730a86567e68491a0d997fc52ba37f28b2164747240a74c225be3c661" 6 | creation_date = "2022-01-17" 7 | last_modified = "2022-01-17" 8 | threat_name = "Windows.Trojan.WhisperGate" 9 | reference_sample = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "https://cdn.discordapp.com/attachments/" wide 17 | $a2 = "DxownxloxadDxatxxax" wide fullword 18 | $a3 = "powershell" wide fullword 19 | $a4 = "-enc UwB0AGEAcgB0AC" wide fullword 20 | $a5 = "Ylfwdwgmpilzyaph" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_Trojan_Xpertrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Xpertrat_ce03c41d { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ce03c41d-d5c3-43f5-b3ca-f244f177d710" 5 | fingerprint = "8aa4336ba6909c820f1164c78453629959e28cb619fda45dbe46291f9fbcbec4" 6 | creation_date = "2021-08-06" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Xpertrat" 9 | reference_sample = "d7f2fddb43eb63f9246f0a4535dfcca6da2817592455d7eceaacde666cf1aaae" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "[XpertRAT-Mutex]" wide fullword 17 | $a2 = "XPERTPLUGIN" wide fullword 18 | $a3 = "keylog.tmp" wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_ATSZIO.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_ATSZIO_e22cc429 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "e22cc429-0285-4ab1-ae35-7e905e467182" 5 | fingerprint = "21cf1d00acde85bdae8c4cf6d59b0d224458de30a32dbddebd99eab48e1126bb" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Name: ATSZIO.sys" 9 | threat_name = "Windows.VulnDriver.ATSZIO" 10 | reference_sample = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 41 00 54 00 53 00 5A 00 49 00 4F 00 2E 00 73 00 79 00 73 00 00 00 } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $original_file_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_Amifldrv.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Amifldrv_e387d5ad { 2 | meta: 3 | author = "Elastic Security" 4 | id = "e387d5ad-fde8-401b-bdcf-044c4f7f5fbd" 5 | fingerprint = "03f898088f37f3c9991fb70d7fb8548908cfac4e03bb2bfe88b11a65157909a8" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Amifldrv" 9 | reference_sample = "fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\amifldrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_AsIo.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_AsIo_5f9f29be { 2 | meta: 3 | author = "Elastic Security" 4 | id = "5f9f29be-9dbb-4d0f-84f5-7027c1413c2c" 5 | fingerprint = "82967badefb37a3964de583cb65f423afe46abc299d361c7a9cd407b146fd897" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.AsIo" 9 | reference_sample = "52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\AsIO.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_EneIo.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_EneIo_6e01882f { 2 | meta: 3 | author = "Elastic Security" 4 | id = "6e01882f-8394-4e32-8049-fa9c4588b087" 5 | fingerprint = "8077212bfbadc7f47f2eb76f123a6e4bcda12009293cb975bbeaba77f8c9dcd0" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.EneIo" 9 | reference_sample = "175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\Release\\EneIo.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_Fidpci.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Fidpci_cb7f69b5 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "cb7f69b5-5421-493b-adf7-75130d19b001" 5 | fingerprint = "19da3f67e302d0a70d40533553a19ba91a99a83609c01c8f296834a93fa325e2" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Fidpci" 9 | reference_sample = "3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\fidpcidrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_Gvci.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Gvci_f5a35359 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "f5a35359-ee16-444a-aafd-c4ef162e46d4" 5 | fingerprint = "590e6b10c8bd1c299eb4ecd1368ac05d8811147c7ce3976de5e86d1a6d8bc14f" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Gvci" 9 | reference_sample = "42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\GVCIDrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_Lha.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Lha_f72bff9a { 2 | meta: 3 | author = "Elastic Security" 4 | id = "f72bff9a-046c-4e02-9e11-4787c8aada75" 5 | fingerprint = "3b464386a60747131012d8380a34bed9329b02ac5cdc7b69b951f4f681243f35" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Name: LHA.sys" 9 | threat_name = "Windows.VulnDriver.Lha" 10 | reference_sample = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 4C 00 48 00 41 00 2E 00 73 00 79 00 73 00 00 00 } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $original_file_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_PowerTool.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_PowerTool_044a8645 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "044a8645-cc90-4ab2-8519-e207583de60d" 5 | fingerprint = "f79831f531f20cc1daeb86b860dffa02dd5a9d25c41cc1eff9f04eddbbd37864" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Name: kEvP64.sys" 9 | threat_name = "Windows.VulnDriver.PowerTool" 10 | reference_sample = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 6B 00 45 00 76 00 50 00 36 00 34 00 2E 00 73 00 79 00 73 00 00 00 } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $original_file_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_ProcId.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_ProcId_86605fa9 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "86605fa9-bf1a-4c2c-87f5-cb656ebe4cf3" 5 | fingerprint = "6d8d926efd98d6eaa1d06d39fb5babf70abf6f0e639fb74f29f65836a79e4743" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.ProcId" 9 | reference_sample = "b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\piddrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_RtCore.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_RtCore_4eeb2ce5 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "4eeb2ce5-e481-4e9c-beda-2b01f259ed96" 5 | fingerprint = "cebca7dc572afccf4eb600980b9cbaef0878213f91c04b4605a0cf4d0e5e541f" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-08-30" 8 | threat_name = "Windows.VulnDriver.RtCore" 9 | reference_sample = "01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\Device\\RTCore64" wide fullword 17 | $str2 = "Kaspersky Lab Anti-Rootkit Monitor Driver" wide fullword 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 and not $str2 20 | } 21 | 22 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_Speedfan.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Speedfan_9b590eee { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9b590eee-5938-4293-afac-c9e730753413" 5 | fingerprint = "c58a8c3bfa710896c35262cc880b9afbadcdfdd73d9969c707e7b5b64e6a70b5" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Subject: Sokno S.R.L." 9 | threat_name = "Windows.VulnDriver.Speedfan" 10 | reference_sample = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $subject_name = { 06 03 55 04 03 [2] 53 6F 6B 6E 6F 20 53 2E 52 2E 4C 2E } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $subject_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_WinFlash.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_WinFlash_881758da { 2 | meta: 3 | author = "Elastic Security" 4 | id = "881758da-760c-4c50-81f2-8bd698972ba2" 5 | fingerprint = "1c64ee1c3fc6bf93e207810a473367c404c824d0eaba15910b00016e23d53637" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.WinFlash" 9 | reference_sample = "8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\WinFlash64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /memory_scanner/yara_rules/es_rules/Windows_VulnDriver_Zam.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Zam_928812a7 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "928812a7-ac7c-47cf-9111-11470b661d46" 5 | fingerprint = "8e5db0d4fee806538929680e7d3521b111b0e09fcc3eba3c191f6787375999cc" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Zam" 9 | reference_sample = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $pdb_64 = "AntiMalware\\bin\\zam64.pdb" 17 | $pdb_32 = "AntiMalware\\bin\\zam32.pdb" 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and any of ($pdb_*) 20 | } 21 | 22 | -------------------------------------------------------------------------------- /wx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoomaSec/RmTools/db80cb3f19c2f378e4cb6c0d2b3960ff0db0ea45/wx.png -------------------------------------------------------------------------------- /yara_scanner/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "scan_path": ["D:\\system_image"], 3 | "hashes": [ 4 | "EE9E2816170E9441690EBEE28324F43046056712" 5 | ], 6 | "filenames": [ 7 | "InstDrv.bin" 8 | ], 9 | "max_file_limit": 10737418240 10 | } 11 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Multi_AttackSimulation_Blindspot.yar: -------------------------------------------------------------------------------- 1 | rule Multi_AttackSimulation_Blindspot_d93f54c5 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "d93f54c5-6574-4999-a3c0-39ef688b28dc" 5 | fingerprint = "4ec38f841aa4dfe32b1f6b6cd2e361c7298839ef1e983061cb90827135f34a58" 6 | creation_date = "2022-05-23" 7 | last_modified = "2022-08-16" 8 | threat_name = "Multi.AttackSimulation.Blindspot" 9 | severity = 1 10 | arch_context = "x86, arm64" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "multi" 14 | strings: 15 | $a = "\\\\.\\pipe\\blindspot-%d." 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Multi_EICAR.yar: -------------------------------------------------------------------------------- 1 | rule Multi_EICAR_ac8f42d6 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ac8f42d6-52da-46ec-8db1-5a5f69222a38" 5 | fingerprint = "bb0e0bdf70ec65d98f652e2428e3567013d5413f2725a2905b372fd18da8b9dd" 6 | creation_date = "2021-01-21" 7 | last_modified = "2022-01-13" 8 | threat_name = "Multi.EICAR.Not-a-virus" 9 | severity = 1 10 | arch_context = "x86, arm64" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "multi" 14 | strings: 15 | $a = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ascii fullword 16 | condition: 17 | all of them 18 | } 19 | 20 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Multi_Trojan_Coreimpact.yar: -------------------------------------------------------------------------------- 1 | rule Multi_Trojan_Coreimpact_37703dc3 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "37703dc3-9485-4026-a8b7-82e753993757" 5 | fingerprint = "5a4d7af7d0fecc05f87ba51f976d78e77622f8afb1eafc175444f45839490109" 6 | creation_date = "2022-08-10" 7 | last_modified = "2022-09-29" 8 | threat_name = "Multi.Trojan.Coreimpact" 9 | reference_sample = "2d954908da9f63cd3942c0df2e8bb5fe861ac5a336ddef2bd0a977cebe030ad7" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "multi" 15 | strings: 16 | $str1 = "Uh, oh, exit() failed" fullword 17 | $str2 = "agent_recv" fullword 18 | $str3 = "needroot" fullword 19 | $str4 = "time is running backwards, corrected" fullword 20 | $str5 = "junk pointer, too low to make sense" fullword 21 | condition: 22 | 3 of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_AttackSimulation_Hovercraft.yar: -------------------------------------------------------------------------------- 1 | rule Windows_AttackSimulation_Hovercraft_f5c7178f { 2 | meta: 3 | author = "Elastic Security" 4 | id = "f5c7178f-9a3f-463d-96a7-0a82cbed9ba2" 5 | fingerprint = "8965ab173fd09582c9e77e7c54c9722b91b71ecbe42c4f8a8cc87d9a780ffe8c" 6 | creation_date = "2022-05-23" 7 | last_modified = "2022-07-18" 8 | threat_name = "Windows.AttackSimulation.Hovercraft" 9 | reference = "046645b2a646c83b4434a893a0876ea9bd51ae05e70d4e72f2ccc648b0f18cb6" 10 | severity = 1 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "MyHovercraftIsFullOfEels" wide fullword 17 | $a2 = "WinHttp.dll" fullword 18 | condition: 19 | all of them 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Cryptominer_Generic.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Cryptominer_Generic_dd1e4d1a { 2 | meta: 3 | author = "Elastic Security" 4 | id = "dd1e4d1a-2e2f-4af0-bd66-2e12367dd064" 5 | fingerprint = "a00e3e08e11d10a7a4bf1110a5110e4d0a4d2acf0974aca9dfc1ad5f21c80df7" 6 | creation_date = "2021-01-12" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Cryptominer.Generic" 9 | reference_sample = "7ac1d7b6107307fb2442522604c8fa56010d931392d606ac74dcea6b7125954b" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { EF F9 66 0F EF FA 66 0F FE FE 66 0F 6F B0 B0 00 00 00 66 0F } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Exploit_Dcom.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Exploit_Dcom_7a1bcec7 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "7a1bcec7-e177-4adf-97a7-0d876bf65abc" 5 | fingerprint = "0abae84599e490056412d5a5ce1868ea118551243377d59cbb6ebd83701769b8" 6 | creation_date = "2021-01-12" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Exploit.Dcom" 9 | reference_sample = "84073caf71d0e0523adeb96169c85b8f0bfea09e7ef3bf677bfc19d3b536d8a5" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 20 62 79 20 46 6C 61 73 68 53 6B 79 20 61 6E 64 20 42 65 6E } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Exploit_Eternalblue.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Exploit_Eternalblue_ead33bf8 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ead33bf8-1870-4d01-a223-edcbe262542f" 5 | fingerprint = "9e3b5f4f0b8ac683544886abbd9eecbf0253a7992ee5d99c453de67b9aacdccd" 6 | creation_date = "2021-01-12" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Exploit.Eternalblue" 9 | reference_sample = "a1340e418c80be58fb6bbb48d4e363de8c6d62ea59730817d5eda6ba17b2c7a7" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { F8 31 C9 EB 0B 40 8A 3C 0E 40 88 3C 08 48 FF C1 48 39 D1 75 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Exploit_Log4j.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Exploit_Log4j_dbac7698 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "dbac7698-906c-44a2-9795-f04ec07d7fcc" 5 | fingerprint = "cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159" 6 | creation_date = "2021-12-13" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Exploit.Log4j" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $jndi1 = "jndi.ldap.LdapCtx.c_lookup" 16 | $jndi2 = "logging.log4j.core.lookup.JndiLookup.lookup" 17 | $jndi3 = "com.sun.jndi.url.ldap.ldapURLContext.lookup" 18 | $exp1 = "Basic/Command/Base64/" 19 | $exp2 = "java.lang.ClassCastException: Exploit" 20 | $exp3 = "WEB-INF/classes/Exploit" 21 | $exp4 = "Exploit.java" 22 | condition: 23 | 2 of ($jndi*) and 1 of ($exp*) 24 | } 25 | 26 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Hacktool_BlackBone.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_BlackBone_2ff5ec38 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "2ff5ec38-ce35-432a-8ffa-d459f84438dd" 5 | fingerprint = "e3df60931c040081214296f006d98e155a5dc7e285a840a1decb23186ef67465" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.Hacktool.BlackBone" 9 | reference_sample = "4e3887f950bff034efedd40f1e949579854a24140128246fa6141f2c34de6017" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "BlackBone: %s: ZwCreateThreadEx hThread 0x%X" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Hacktool_Capcom.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_Capcom_7abae448 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "7abae448-0ebc-433f-b368-0b8560da7197" 5 | fingerprint = "965e85fc3b2a21aef84c7c2bd59708b121d9635ce6bab177014b28fb00102884" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Subject: CAPCOM Co.,Ltd." 9 | threat_name = "Windows.Hacktool.Capcom" 10 | reference_sample = "da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $subject_name = { 06 03 55 04 03 [2] 43 41 50 43 4F 4D 20 43 6F 2E 2C 4C 74 64 2E } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $subject_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Hacktool_CheatEngine.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_CheatEngine_fedac96d { 2 | meta: 3 | author = "Elastic Security" 4 | id = "fedac96d-4c23-4c8d-8476-4c89fd610441" 5 | fingerprint = "94d375ddab90c27ef22dd18b98952d0ec8a4d911151970d5b9f59654a8e3d7db" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Subject: Cheat Engine" 9 | threat_name = "Windows.Hacktool.CheatEngine" 10 | reference_sample = "b20b339a7b61dc7dbc9a36c45492ba9654a8b8a7c8cbc202ed1dfed427cfd799" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $subject_name = { 06 03 55 04 03 [2] 43 68 65 61 74 20 45 6E 67 69 6E 65 } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $subject_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Hacktool_CpuLocker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_CpuLocker_73b41444 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "73b41444-4c17-4fea-b440-fe7b0a086a7f" 5 | fingerprint = "3f90517fbeafdccd37e4b8ab0316a91dd18a911cb1f4ffcd4686ab912a0feab4" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.Hacktool.CpuLocker" 9 | reference_sample = "dbfc90fa2c5dc57899cc75ccb9dc7b102cb4556509cdfecde75b36f602d7da66" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\CPULocker.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Hacktool_Gmer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_Gmer_8aabdd5e { 2 | meta: 3 | author = "Elastic Security" 4 | id = "8aabdd5e-1ce7-4257-abaa-8d02dc6856a6" 5 | fingerprint = "960721d4d111a670907fe7d3ce01dfd134ad03a2d8440a945c75a7d46de46238" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.Hacktool.Gmer" 9 | reference_sample = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\gmer64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Hacktool_ProcessHacker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_ProcessHacker_3d01069e { 2 | meta: 3 | author = "Elastic Security" 4 | id = "3d01069e-7afb-4da0-b7ac-23f90db26495" 5 | fingerprint = "5d6a0835ac6c0548292ff11741428d7b2f4421ead6d9e2ca35379cbceb6ee68c" 6 | creation_date = "2022-03-30" 7 | last_modified = "2022-03-30" 8 | threat_name = "Windows.Hacktool.ProcessHacker" 9 | reference_sample = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $original_file_name = "OriginalFilename\x00kprocesshacker.sys" wide fullword 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $original_file_name 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Hacktool_RWEverything.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Hacktool_RWEverything_da67eda7 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "da67eda7-1455-4231-8de5-040d5f0dfd6f" 5 | fingerprint = "078971f0c67b24a7fb321fa64ecfd4e4c3b9785961eea042cc5f9f1cd9e699af" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Subject: ChongKim Chan" 9 | threat_name = "Windows.Hacktool.RWEverything" 10 | reference_sample = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $subject_name = { 06 03 55 04 03 [2] 43 68 6F 6E 67 4B 69 6D 20 43 68 61 6E } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $subject_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_PUP_Veriato.yar: -------------------------------------------------------------------------------- 1 | rule Windows_PUP_Veriato_fae5978c { 2 | meta: 3 | author = "Elastic Security" 4 | id = "fae5978c-f26c-4215-9407-d16e492ab5c1" 5 | fingerprint = "8d351cdd11d6dddc76cd89e7de9e65b28ef5c8183db804b2a450095e2f3214e5" 6 | creation_date = "2022-06-08" 7 | last_modified = "2022-09-29" 8 | threat_name = "Windows.PUP.Veriato" 9 | reference_sample = "53f09e60b188e67cdbf28bda669728a1f83d47b0279debf3d0a8d5176479d17f" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $s1 = "InitializeDll" fullword 17 | $a1 = "C:\\Windows\\winipbin\\svrltmgr.dll" fullword 18 | $a2 = "C:\\Windows\\winipbin\\svrltmgr64.dll" fullword 19 | condition: 20 | $s1 and ($a1 or $a2) 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Ransomware_Avoslocker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Avoslocker_7ae4d4f2 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "7ae4d4f2-be5f-4aad-baaa-4182ff9cf996" 5 | fingerprint = "0e5ff268ed2b62f9d31df41192135145094849a4e6891407568c3ea27ebf66bb" 6 | creation_date = "2021-07-28" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Ransomware.Avoslocker" 9 | reference_sample = "43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "drive %s took %f seconds" ascii fullword 17 | $a2 = "client_rsa_priv: %s" ascii fullword 18 | $a3 = "drive: %s" ascii fullword 19 | $a4 = "Map: %s" ascii fullword 20 | $a5 = "encrypting %ls failed" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Ransomware_Conti.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Conti_89f3f6fa { 2 | meta: 3 | author = "Elastic Security" 4 | id = "89f3f6fa-492c-40e3-a4aa-a526004197b2" 5 | fingerprint = "a82331eba3cbd52deb4bed5e11035ac1e519ec27931507f582f2985865c0fb1a" 6 | creation_date = "2021-08-05" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Ransomware.Conti" 9 | reference_sample = "eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { F7 FE 88 57 FF 83 EB 01 75 DA 8B 45 FC 5F 5B 40 5E 8B E5 5D C3 8D } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Ransomware_Lockfile.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Lockfile_74185716 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "74185716-e79d-4d63-b6ae-9480f24dcd4f" 5 | fingerprint = "849a0fb5a2e08b2d32db839a7fdbde03a184a48726678e65e7f8452b354a3ca8" 6 | creation_date = "2021-08-31" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Ransomware.Lockfile" 9 | reference_sample = "bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "LOCKFILE-README" 17 | $a2 = "wmic process where \"name like '%virtualbox%'\" call terminate" 18 | $a3 = "" 19 | $a4 = ".lockfile" 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Ransomware_Mespinoza.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Mespinoza_3adb59f5 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "3adb59f5-a4af-48f2-8029-874a62b23651" 5 | fingerprint = "f44a79048427e79d339d3b0ccaeb85ba6731d5548256a2615f32970dcf67578f" 6 | creation_date = "2021-08-05" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Ransomware.Mespinoza" 9 | reference_sample = "6f3cd5f05ab4f404c78bab92f705c91d967b31a9b06017d910af312fa87ae3d6" 10 | severity = 90 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Don't try to use backups because it were encrypted too." ascii fullword 17 | $a2 = "Every byte on any types of your devices was encrypted." ascii fullword 18 | $a3 = "n.pysa" wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Ransomware_Pandora.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Pandora_bca8ce23 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "bca8ce23-6722-4cda-b5fa-623eda4fca1b" 5 | fingerprint = "0da732f6bdf24f35dee3c1bf85435650a5ce9b5c6a93f01176659943c01ad711" 6 | creation_date = "2022-03-14" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Ransomware.Pandora" 9 | reference_sample = "2c940a35025dd3847f7c954a282f65e9c2312d2ada28686f9d1dc73d1c500224" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "/c vssadmin.exe delete shadows /all /quiet" wide fullword 17 | $a2 = "\\Restore_My_Files.txt" wide fullword 18 | $a3 = ".pandora" wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Ransomware_Ransomexx.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Ransomexx_fabff49c { 2 | meta: 3 | author = "Elastic Security" 4 | id = "fabff49c-8e1a-4020-b081-2f432532e529" 5 | fingerprint = "a7a1e6d5fafdddc7d4699710edf407653968ffd40747c50f26ef63a6cb623bbe" 6 | creation_date = "2021-08-07" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Ransomware.Ransomexx" 9 | reference_sample = "480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "ransom.exx" ascii fullword 17 | $a2 = "Infrastructure rebuild will cost you MUCH more." wide fullword 18 | $a3 = "Your files are securely ENCRYPTED." wide fullword 19 | $a4 = "delete catalog -quiet" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Ransomware_Rook.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Rook_ee21fa67 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ee21fa67-bd82-40fb-9c6d-bab5abfe14b3" 5 | fingerprint = "8ef731590e73f79a13d04db39e58b03d0a29fd8e46a0584b0fcaf57ac0efe473" 6 | creation_date = "2022-01-14" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Ransomware.Rook" 9 | reference_sample = "c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 01 75 09 8B C3 FF C3 48 89 74 C5 F0 48 FF C7 48 83 FF 1A 7C DB } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Ransomware_Royal.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Royal_b7d42109 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "b7d42109-f327-4ec3-86ac-d1ebb9478860" 5 | fingerprint = "ff518f25b39b02769b67c437f38958d14e4e8f50b91f4c73591203da297a5d2a" 6 | creation_date = "2022-11-04" 7 | last_modified = "2022-12-20" 8 | threat_name = "Windows.Ransomware.Royal" 9 | reference_sample = "491c2b32095174b9de2fd799732a6f84878c2e23b9bb560cd3155cbdc65e2b80" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Try Royal today and enter the new era of data security" ascii fullword 17 | $a2 = "If you are reading this, it means that your system were hit by Royal ransomware." ascii fullword 18 | $a3 = "http://royal" 19 | $a4 = "\\README.TXT" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Ransomware_Stop.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Stop_1e8d48ff { 2 | meta: 3 | author = "Elastic Security" 4 | id = "1e8d48ff-e0ab-478d-8268-a11f2e87ab79" 5 | fingerprint = "715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb" 6 | creation_date = "2021-06-10" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Ransomware.Stop" 9 | reference_sample = "821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = "E:\\Doc\\My work (C++)\\_Git\\Encryption\\Release\\encrypt_win_api.pdb" ascii fullword 17 | $b = { 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF } 18 | condition: 19 | any of them 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Rootkit_R77.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Rootkit_R77_5bab748b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "5bab748b-8576-4967-9b50-a3778db1dd71" 5 | fingerprint = "2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa" 6 | creation_date = "2022-03-04" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Rootkit.R77" 9 | reference_sample = "cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_A310logger.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_A310logger_520cd7ec { 2 | meta: 3 | author = "Elastic Security" 4 | id = "520cd7ec-840c-4d45-961b-8bc5e329c52f" 5 | fingerprint = "f4ee88e555b7bd0102403cc804372f5376debc59555e8e7b4a16e18b04d1b314" 6 | creation_date = "2022-01-11" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.A310logger" 9 | reference_sample = "60fb9597e5843c72d761525f73ca728409579d81901860981ebd84f7d153cfa3" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "/dumps9taw" ascii fullword 17 | $a2 = "/logstatus" ascii fullword 18 | $a3 = "/checkprotection" ascii fullword 19 | $a4 = "[CLIPBOARD]<<" wide fullword 20 | $a5 = "&chat_id=" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_ArkeiStealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_ArkeiStealer_84c7086a { 2 | meta: 3 | author = "Elastic Security" 4 | id = "84c7086a-abc3-4b97-b325-46a078b90a95" 5 | fingerprint = "f1d701463b0001de8996b30d2e36ddecb93fe4ca2a1a26fc4fcdaeb0aa3a3d6d" 6 | creation_date = "2022-02-17" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.ArkeiStealer" 9 | reference_sample = "708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 01 89 55 F4 8B 45 F4 3B 45 10 73 31 8B 4D 08 03 4D F4 0F BE 19 8B } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Babylonrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Babylonrat_0f66e73b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "0f66e73b-7824-46b6-a9e6-5abf018c9ffa" 5 | fingerprint = "3998824e381f51aaa2c81c12d4c05157c642d8aef39982e35fa3e124191640ea" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Babylonrat" 9 | reference_sample = "4278064ec50f87bb0471053c068b13955ed9d599434e687a64bf2060438a7511" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "BabylonRAT" wide fullword 17 | $a2 = "Babylon RAT Client" wide fullword 18 | $a3 = "ping 0 & del \"" wide fullword 19 | $a4 = "\\%Y %m %d - %I %M %p" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Backoff.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Backoff_22798f00 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "22798f00-ff2a-4f5f-a9ef-fab6d04ca679" 5 | fingerprint = "a45fc701844e6e0cfba5d8ef90d00960b5817af66e6b3d889a54d33539cd5d41" 6 | creation_date = "2022-08-10" 7 | last_modified = "2022-09-29" 8 | threat_name = "Windows.Trojan.Backoff" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $str1 = "\\nsskrnl" fullword 16 | $str2 = "Upload KeyLogs" fullword 17 | $str3 = "&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s" fullword 18 | $str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword 19 | $str5 = "\\OracleJava\\Log.txt" fullword 20 | $str6 = "[Ctrl+%c]" fullword 21 | condition: 22 | 3 of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Bandook.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Bandook_38497690 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "38497690-6663-47c9-a864-0bbe6a3f7a8b" 5 | fingerprint = "b6debea805a8952b9b7473ad7347645e4aced3ecde8d6e53fa2d82c35b285b3c" 6 | creation_date = "2022-08-10" 7 | last_modified = "2022-09-29" 8 | threat_name = "Windows.Trojan.Bandook" 9 | reference_sample = "4d079586a51168aac708a9ab7d11a5a49dfe7a16d9ced852fbbc5884020c0c97" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "%s~!%s~!%s~!%s~!%s~!%s~!" 17 | $str2 = "ammyy.abc" 18 | $str3 = "StealUSB" 19 | $str4 = "DisableMouseCapture" 20 | $str5 = "%sSkype\\%s\\config.xml" 21 | $str6 = "AVE_MARIA" 22 | condition: 23 | 3 of them 24 | } 25 | 26 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_CaesarKbd.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_CaesarKbd_32bb198b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "32bb198b-ec03-4628-8e9b-bc36c2525ec7" 5 | fingerprint = "54ed92761bb619ae4dcec9c27127d6c2a74a575916249cd5db24b8deb2ee0588" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-06-09" 8 | threat_name = "Windows.Trojan.CaesarKbd" 9 | reference_sample = "d4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "CaesarKbd_IOCtrl" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_DBatLoader.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DBatLoader_f93a8e90 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "f93a8e90-10ac-44de-ac3b-c0e976628e98" 5 | fingerprint = "81b87663fbad9854430e5c4dcade464a15b995e645f9993a3e234593ee4df901" 6 | creation_date = "2022-03-11" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.DBatLoader" 9 | reference_sample = "f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { FF 00 74 17 8B 45 E8 0F B6 7C 18 FF 66 03 7D EC 66 0F AF 7D F4 66 03 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_DarkVNC.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DarkVNC_bd803c2e { 2 | meta: 3 | author = "Elastic Security" 4 | id = "bd803c2e-77bd-4b8c-bdfa-11a9bd54a454" 5 | fingerprint = "131f4b3ef5b01720a52958058ecc4c3681ed0ca975a1a06cd034d7205680e710" 6 | creation_date = "2023-01-23" 7 | last_modified = "2023-02-01" 8 | threat_name = "Windows.Trojan.DarkVNC" 9 | reference_sample = "0fcc1b02fdaf211c772bd4fa1abcdeb5338d95911c226a9250200ff7f8e45601" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "BOT-%s(%s)_%S-%S%u%u" wide fullword 17 | $a2 = "{%08X-%04X-%04X-%04X-%08X%04X}" wide fullword 18 | $a3 = "monitor_off / monitor_on" ascii fullword 19 | $a4 = "bot_shell >" ascii fullword 20 | $a5 = "keyboard and mouse are blocked !" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Darkcomet.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Darkcomet_1df27bcc { 2 | meta: 3 | author = "Elastic Security" 4 | id = "1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63" 5 | fingerprint = "63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b" 6 | creation_date = "2021-08-16" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Darkcomet" 9 | reference_sample = "7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "BTRESULTHTTP Flood|Http Flood task finished!|" ascii fullword 17 | $a2 = "is now open!|" ascii fullword 18 | $a3 = "ActiveOnlineKeylogger" ascii fullword 19 | $a4 = "#BOT#RunPrompt" ascii fullword 20 | $a5 = "GETMONITORS" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_DiamondFox.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DiamondFox_18bc11e3 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "18bc11e3-5872-40b0-a3b7-cef4b32fac15" 5 | fingerprint = "6f908d11220e218a7b59239ff3cc00c7e273fb46ec99ef7ae37e4aceb4de7831" 6 | creation_date = "2022-03-02" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.DiamondFox" 9 | reference_sample = "a44c46d4b9cf1254aaabd1e689f84c4d2c3dd213597f827acabface03a1ae6d1" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "\\wscript.vbs" wide fullword 17 | $a2 = "\\snapshot.jpg" wide fullword 18 | $a3 = "&soft=" wide fullword 19 | $a4 = "ping -n 4 127.0.0.1 > nul" wide fullword 20 | $a5 = "Select Name from Win32_Process Where Name = '" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Farfli.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Farfli_85d1bcc9 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "85d1bcc9-c3c7-454c-a77f-0e0de933c4c3" 5 | fingerprint = "56a5e4955556d08b80849ea5775f35f5a32999d6b5df92357ab142a4faa74ac3" 6 | creation_date = "2022-02-17" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.Farfli" 9 | reference_sample = "e3e9ea1b547cc235e6f1a78b4ca620c69a54209f84c7de9af17eb5b02e9b58c3" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { AB 66 AB C6 45 D4 25 C6 45 D5 73 C6 45 D6 5C C6 45 D7 25 C6 45 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Garble.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Garble_eae7f2f7 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "eae7f2f7-49b3-427c-9cf3-cce64d772c78" 5 | fingerprint = "b72b8d475ef50a5e703d741f195d8ce0916f46ee5744c5bc7c8d452ab23df388" 6 | creation_date = "2022-06-08" 7 | last_modified = "2022-09-29" 8 | threat_name = "Windows.Trojan.Garble" 9 | reference_sample = "4820a1ec99981e03675a86c4c01acba6838f04945b5f753770b3de4e253e1b8c" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = ".\"G!-$G#-&J%.(G'-*G)-,J+..G--0G/-2J1.4G3-6G5-8J7.:G9-J=+@A?-BAA*DAC*FAE*HFG+JAI-LAK*NAM*PAO*RFQ+TAS-VAU9" 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Gh0st.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Gh0st_ee6de6bc { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ee6de6bc-1648-4a77-9607-e2a211c7bda4" 5 | fingerprint = "3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455" 6 | creation_date = "2021-06-10" 7 | last_modified = "2021-08-23" 8 | description = "Identifies a variant of Gh0st Rat" 9 | threat_name = "Windows.Trojan.Gh0st" 10 | reference_sample = "ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d" 11 | severity = 100 12 | arch_context = "x86" 13 | scan_context = "file, memory" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $a1 = ":]%d-%d-%d %d:%d:%d" ascii fullword 18 | $a2 = "[Pause Break]" ascii fullword 19 | $a3 = "f-secure.exe" ascii fullword 20 | $a4 = "Accept-Language: zh-cn" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Hancitor.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Hancitor_6738d84a { 2 | meta: 3 | author = "Elastic Security" 4 | id = "6738d84a-7393-4db2-97cc-66f471b5699a" 5 | fingerprint = "44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912" 6 | creation_date = "2021-06-17" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Trojan.Hancitor" 9 | reference_sample = "a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d" 17 | $b1 = "Rundll32.exe %s, start" ascii fullword 18 | $b2 = "MASSLoader.dll" ascii fullword 19 | condition: 20 | $a1 or all of ($b*) 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Hawkeye.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Hawkeye_77c36ace { 2 | meta: 3 | author = "Elastic Security" 4 | id = "77c36ace-3857-43f8-a6de-596ba7964b6f" 5 | fingerprint = "c9a1c61b4fa78c46d493e1b307e9950bd714ba4e5a6249f15a3b86a74b7638e5" 6 | creation_date = "2021-08-16" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Hawkeye" 9 | reference_sample = "28e28025060f1bafd4eb96c7477cab73497ca2144b52e664b254c616607d94cd" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Logger - Key Recorder - [" wide fullword 17 | $a2 = "http://whatismyipaddress.com/" wide fullword 18 | $a3 = "Keylogger Enabled: " wide fullword 19 | $a4 = "LoadPasswordsSeaMonkey" wide fullword 20 | $a5 = "\\.minecraft\\lastlogin" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Jupyter.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Jupyter_56152e31 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "56152e31-77c6-49fa-bbc5-c3630f11e633" 5 | fingerprint = "9cccc2e3d4cfe9ff090d02b143fa837f4da0c229426435b4e097f902e8c5fb01" 6 | creation_date = "2021-07-22" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Trojan.Jupyter" 9 | reference_sample = "ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "%appdata%\\solarmarker.dat" ascii fullword 17 | $a2 = "\\AppData\\Roaming\\solarmarker.dat" wide fullword 18 | $b1 = "steal_passwords" ascii fullword 19 | $b2 = "jupyter" ascii fullword 20 | condition: 21 | 1 of ($a*) or 2 of ($b*) 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Limerat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Limerat_24269a79 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "24269a79-0172-4da5-9b4d-f61327072bf0" 5 | fingerprint = "cb714cd787519216d25edaad9f89a9c0ce1b8fbbbcdf90bda4c79f5d85fdf381" 6 | creation_date = "2021-08-17" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Limerat" 9 | reference_sample = "ec781a714d6bc6fac48d59890d9ae594ffd4dbc95710f2da1f1aa3d5b87b9e01" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr \"'" wide fullword 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Lucifer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Lucifer_ce9d4cc8 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ce9d4cc8-8f16-4272-a54b-e500d4edea9b" 5 | fingerprint = "77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55" 6 | creation_date = "2022-02-17" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.Lucifer" 9 | reference_sample = "1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Lurker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Lurker_0ee51802 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "0ee51802-4ff3-4edf-95ed-bb0338ff25d9" 5 | fingerprint = "c30bc4e25c1984268a3bb44c59081131d1e81254b94734f6af2b47969c0acd0e" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-06-09" 8 | threat_name = "Windows.Trojan.Lurker" 9 | reference_sample = "5718fd4f807e29e48a8b6a6f4484426ba96c61ec8630dc78677686e0c9ba2b87" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\Device\\ZHWLurker0410" wide fullword 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Merlin.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Merlin_e8ecb3be { 2 | meta: 3 | author = "Elastic Security" 4 | id = "e8ecb3be-edba-4617-b4df-9d5b6275d310" 5 | fingerprint = "54e03337930d74568a91e797cfda3b7bfbce3aad29be2543ed58c51728d8e185" 6 | creation_date = "2022-01-05" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.Merlin" 9 | reference_sample = "768c120e63d3960a0842dcc538749955ab7caabaeaf3682f6d1e30666aac65a8" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { AF F0 4C 01 F1 4C 8B B4 24 A8 00 00 00 4D 0F AF F4 4C 01 F1 4C 8B B4 24 B0 00 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Octopus.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Octopus_15813e26 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "15813e26-77f8-46cf-a6a3-ae081925b85a" 5 | fingerprint = "a3294547f7e3cead0cd64eb3d2e7dbd8ccfc4d9eedede240a643c8cd114cbcce" 6 | creation_date = "2021-11-10" 7 | last_modified = "2022-01-13" 8 | description = "Identifies Octopus, an Open source pre-operation C2 server based on Python and PowerShell" 9 | threat_name = "Windows.Trojan.Octopus" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = "C:\\Users\\UNKNOWN\\source\\repos\\OctopusUnmanagedExe\\OctopusUnmanagedExe\\obj\\x64\\Release\\SystemConfiguration.pdb" ascii fullword 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_OskiStealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_OskiStealer_a158b1e3 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "a158b1e3-21b7-4009-9646-6bee9bde98ad" 5 | fingerprint = "3996a89d37494b118654f3713393f415c662850a5a76afa00e83f9611aee3221" 6 | creation_date = "2022-03-21" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.OskiStealer" 9 | reference_sample = "568cd515c9a3bce7ef21520761b02cbfc95d8884d5b2dc38fc352af92356c694" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "\"os_crypt\":{\"encrypted_key\":\"" ascii fullword 17 | $a2 = "%s / %s" ascii fullword 18 | $a3 = "outlook.txt" ascii fullword 19 | $a4 = "GLoX6gmCFw==" ascii fullword 20 | $a5 = "KaoQpEzKSjGm8Q==" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Pandastealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Pandastealer_8b333e76 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "8b333e76-f723-4093-ad72-2f5d42aaa9c9" 5 | fingerprint = "873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Pandastealer" 9 | reference_sample = "ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "] - [user: " ascii fullword 17 | $a2 = "[-] data unpacked failed" ascii fullword 18 | $a3 = "[+] data unpacked" ascii fullword 19 | $a4 = "\\history\\" ascii fullword 20 | $a5 = "PlayerName" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_ProtectS.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_ProtectS_9f6eaa90 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9f6eaa90-b3d4-4f0f-a81e-8010be0a6d36" 5 | fingerprint = "46bf59901876794dcc338923076939d765d3ce7f14d784b9687fbc05461ed6b4" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-06-09" 8 | threat_name = "Windows.Trojan.ProtectS" 9 | reference_sample = "c0330e072b7003f55a3153ac3e0859369b9c3e22779b113284e95ce1e2ce2099" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\ProtectS.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Remcos.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Remcos_b296e965 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "b296e965-a99e-4446-b969-ba233a2a8af4" 5 | fingerprint = "a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d" 6 | creation_date = "2021-06-10" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Trojan.Remcos" 9 | reference_sample = "0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Remcos restarted by watchdog!" ascii fullword 17 | $a2 = "Mutex_RemWatchdog" ascii fullword 18 | $a3 = "%02i:%02i:%02i:%03i" 19 | $a4 = "* Remcos v" ascii fullword 20 | condition: 21 | 2 of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Remotemanipulator.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Remotemanipulator_9ec52153 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9ec52153-3b62-432d-b87c-895035df1a46" 5 | fingerprint = "02220e8af70ecffb3a7585f756c59ef5d9e17e6690c36d6bffc458e1d17dbd0c" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Remotemanipulator" 9 | reference_sample = "1dd15c830c0a159b53ed21b8c2ce1b7e8093256368d7b96c1347c6851ee6c4f6" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "killself.bat" wide fullword 17 | $a2 = "rutserv.exe" wide fullword 18 | $a3 = "rfusclient.exe" wide fullword 19 | $a4 = "install.log" wide fullword 20 | $a5 = "Unable to create Agent's path." wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Revengerat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Revengerat_db91bcc6 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "db91bcc6-024d-42da-8d0a-bd69374bf622" 5 | fingerprint = "9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Revengerat" 9 | reference_sample = "30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Revenge-RAT" wide fullword 17 | $a2 = "SELECT * FROM FirewallProduct" wide fullword 18 | $a3 = "HKEY_CURRENT_USER\\SOFTWARE\\" wide fullword 19 | $a4 = "get_MachineName" ascii fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_WhisperGate.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_WhisperGate_9192618b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9192618b-4f3e-4503-a97f-3c4420fb79e0" 5 | fingerprint = "21f2a5b730a86567e68491a0d997fc52ba37f28b2164747240a74c225be3c661" 6 | creation_date = "2022-01-17" 7 | last_modified = "2022-01-17" 8 | threat_name = "Windows.Trojan.WhisperGate" 9 | reference_sample = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "https://cdn.discordapp.com/attachments/" wide 17 | $a2 = "DxownxloxadDxatxxax" wide fullword 18 | $a3 = "powershell" wide fullword 19 | $a4 = "-enc UwB0AGEAcgB0AC" wide fullword 20 | $a5 = "Ylfwdwgmpilzyaph" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_Trojan_Xpertrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Xpertrat_ce03c41d { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ce03c41d-d5c3-43f5-b3ca-f244f177d710" 5 | fingerprint = "8aa4336ba6909c820f1164c78453629959e28cb619fda45dbe46291f9fbcbec4" 6 | creation_date = "2021-08-06" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Xpertrat" 9 | reference_sample = "d7f2fddb43eb63f9246f0a4535dfcca6da2817592455d7eceaacde666cf1aaae" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "[XpertRAT-Mutex]" wide fullword 17 | $a2 = "XPERTPLUGIN" wide fullword 18 | $a3 = "keylog.tmp" wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_ATSZIO.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_ATSZIO_e22cc429 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "e22cc429-0285-4ab1-ae35-7e905e467182" 5 | fingerprint = "21cf1d00acde85bdae8c4cf6d59b0d224458de30a32dbddebd99eab48e1126bb" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Name: ATSZIO.sys" 9 | threat_name = "Windows.VulnDriver.ATSZIO" 10 | reference_sample = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 41 00 54 00 53 00 5A 00 49 00 4F 00 2E 00 73 00 79 00 73 00 00 00 } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $original_file_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_Amifldrv.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Amifldrv_e387d5ad { 2 | meta: 3 | author = "Elastic Security" 4 | id = "e387d5ad-fde8-401b-bdcf-044c4f7f5fbd" 5 | fingerprint = "03f898088f37f3c9991fb70d7fb8548908cfac4e03bb2bfe88b11a65157909a8" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Amifldrv" 9 | reference_sample = "fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\amifldrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_AsIo.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_AsIo_5f9f29be { 2 | meta: 3 | author = "Elastic Security" 4 | id = "5f9f29be-9dbb-4d0f-84f5-7027c1413c2c" 5 | fingerprint = "82967badefb37a3964de583cb65f423afe46abc299d361c7a9cd407b146fd897" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.AsIo" 9 | reference_sample = "52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\AsIO.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_EneIo.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_EneIo_6e01882f { 2 | meta: 3 | author = "Elastic Security" 4 | id = "6e01882f-8394-4e32-8049-fa9c4588b087" 5 | fingerprint = "8077212bfbadc7f47f2eb76f123a6e4bcda12009293cb975bbeaba77f8c9dcd0" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.EneIo" 9 | reference_sample = "175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\Release\\EneIo.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_Fidpci.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Fidpci_cb7f69b5 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "cb7f69b5-5421-493b-adf7-75130d19b001" 5 | fingerprint = "19da3f67e302d0a70d40533553a19ba91a99a83609c01c8f296834a93fa325e2" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Fidpci" 9 | reference_sample = "3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\fidpcidrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_Gvci.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Gvci_f5a35359 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "f5a35359-ee16-444a-aafd-c4ef162e46d4" 5 | fingerprint = "590e6b10c8bd1c299eb4ecd1368ac05d8811147c7ce3976de5e86d1a6d8bc14f" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Gvci" 9 | reference_sample = "42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\GVCIDrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_Lha.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Lha_f72bff9a { 2 | meta: 3 | author = "Elastic Security" 4 | id = "f72bff9a-046c-4e02-9e11-4787c8aada75" 5 | fingerprint = "3b464386a60747131012d8380a34bed9329b02ac5cdc7b69b951f4f681243f35" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Name: LHA.sys" 9 | threat_name = "Windows.VulnDriver.Lha" 10 | reference_sample = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 4C 00 48 00 41 00 2E 00 73 00 79 00 73 00 00 00 } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $original_file_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_ProcId.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_ProcId_86605fa9 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "86605fa9-bf1a-4c2c-87f5-cb656ebe4cf3" 5 | fingerprint = "6d8d926efd98d6eaa1d06d39fb5babf70abf6f0e639fb74f29f65836a79e4743" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.ProcId" 9 | reference_sample = "b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\piddrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_RtCore.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_RtCore_4eeb2ce5 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "4eeb2ce5-e481-4e9c-beda-2b01f259ed96" 5 | fingerprint = "cebca7dc572afccf4eb600980b9cbaef0878213f91c04b4605a0cf4d0e5e541f" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-08-30" 8 | threat_name = "Windows.VulnDriver.RtCore" 9 | reference_sample = "01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\Device\\RTCore64" wide fullword 17 | $str2 = "Kaspersky Lab Anti-Rootkit Monitor Driver" wide fullword 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 and not $str2 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_Speedfan.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Speedfan_9b590eee { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9b590eee-5938-4293-afac-c9e730753413" 5 | fingerprint = "c58a8c3bfa710896c35262cc880b9afbadcdfdd73d9969c707e7b5b64e6a70b5" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Subject: Sokno S.R.L." 9 | threat_name = "Windows.VulnDriver.Speedfan" 10 | reference_sample = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $subject_name = { 06 03 55 04 03 [2] 53 6F 6B 6E 6F 20 53 2E 52 2E 4C 2E } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $subject_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_WinFlash.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_WinFlash_881758da { 2 | meta: 3 | author = "Elastic Security" 4 | id = "881758da-760c-4c50-81f2-8bd698972ba2" 5 | fingerprint = "1c64ee1c3fc6bf93e207810a473367c404c824d0eaba15910b00016e23d53637" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.WinFlash" 9 | reference_sample = "8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\WinFlash64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner/yara_rules/es_rules/Windows_VulnDriver_Zam.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Zam_928812a7 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "928812a7-ac7c-47cf-9111-11470b661d46" 5 | fingerprint = "8e5db0d4fee806538929680e7d3521b111b0e09fcc3eba3c191f6787375999cc" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Zam" 9 | reference_sample = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $pdb_64 = "AntiMalware\\bin\\zam64.pdb" 17 | $pdb_32 = "AntiMalware\\bin\\zam32.pdb" 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and any of ($pdb_*) 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner/yara_scanner.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoomaSec/RmTools/db80cb3f19c2f378e4cb6c0d2b3960ff0db0ea45/yara_scanner/yara_scanner.exe -------------------------------------------------------------------------------- /yara_scanner_beta/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "use_log": 1, 3 | "scan_file_thread": 60, 4 | "only_scan_suffix": 1, 5 | "scan_file_suffix": [ 6 | ".exe", 7 | ".dll", 8 | ".sys", 9 | ".js", 10 | ".jsp", 11 | ".php", 12 | ".asp", 13 | ".aspx", 14 | ".cmd", 15 | ".bat", 16 | ".vbs", 17 | ".vbe", 18 | ".vb", 19 | ".ps1", 20 | ".psm1", 21 | ".wsh", 22 | ".vbscript", 23 | ".wsf", 24 | ".eml" 25 | ], 26 | "scan_path": ["C:\\Users\\huoji\\Desktop"], 27 | "skip_scan_paths": [ 28 | "windows\\WinSxS", 29 | "Windows\\Microsoft.NET", 30 | "Windows\\assembly", 31 | "Program Files\\WindowsApps", 32 | "Windows\\servicing", 33 | "Windows\\Installer" 34 | ], 35 | "hashes": ["EE9E2816170E9441690EBEE28324F43046056712"], 36 | "filenames": ["InstDrv.bin"], 37 | "max_file_limit": 5002400 38 | } 39 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/Yara-Rules/cve_rules/CVE-2010-0805.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule MSIETabularActivex 7 | { 8 | meta: 9 | ref = "CVE-2010-0805" 10 | impact = 7 11 | hide = true 12 | author = "@d3t0n4t0r" 13 | strings: 14 | $cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword 15 | $cve20100805_2 = "DataURL" nocase fullword 16 | $cve20100805_3 = "true" 17 | condition: 18 | ($cve20100805_1 and $cve20100805_3) or (all of them) 19 | } 20 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/Yara-Rules/cve_rules/CVE-2010-0887.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule JavaDeploymentToolkit 7 | { 8 | meta: 9 | ref = "CVE-2010-0887" 10 | impact = 7 11 | author = "@d3t0n4t0r" 12 | strings: 13 | $cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword 14 | $cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword 15 | $cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword 16 | $cve20100887_4 = "application/java-deployment-toolkit" nocase fullword 17 | $cve20100887_5 = "document.body.appendChild(" nocase fullword 18 | $cve20100887_6 = "launch(" 19 | $cve20100887_7 = "-J-jar -J" nocase fullword 20 | condition: 21 | 3 of them 22 | } 23 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/Yara-Rules/cve_rules/CVE-2010-1297.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule FlashNewfunction: decodedPDF 7 | { 8 | meta: 9 | ref = "CVE-2010-1297" 10 | hide = true 11 | impact = 5 12 | ref = "http://blog.xanda.org/tag/jsunpack/" 13 | strings: 14 | $unescape = "unescape" fullword nocase 15 | $shellcode = /%u[A-Fa-f0-9]{4}/ 16 | $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/ 17 | $cve20101297 = /\/Subtype ?\/Flash/ 18 | condition: 19 | ($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297) 20 | } 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/Yara-Rules/cve_rules/CVE-2013-0074.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule cve_2013_0074 7 | { 8 | meta: 9 | author = "Kaspersky Lab" 10 | filetype = "Win32 EXE" 11 | date = "2015-07-23" 12 | version = "1.0" 13 | 14 | strings: 15 | $b2="Can't find Payload() address" ascii wide 16 | $b3="/SilverApp1;component/App.xaml" ascii wide 17 | $b4="Can't allocate ums after buf[]" ascii wide 18 | $b5="------------ START ------------" 19 | 20 | condition: 21 | ( (2 of ($b*)) ) 22 | } 23 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/Yara-Rules/cve_rules/CVE-2015-5119.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule Flash_CVE_2015_5119_APT3 : Exploit { 7 | meta: 8 | description = "Exploit Sample CVE-2015-5119" 9 | author = "Florian Roth" 10 | score = 70 11 | date = "2015-08-01" 12 | strings: 13 | $s0 = "HT_exploit" fullword ascii 14 | $s1 = "HT_Exploit" fullword ascii 15 | $s2 = "flash_exploit_" ascii 16 | $s3 = "exp1_fla/MainTimeline" ascii fullword 17 | $s4 = "exp2_fla/MainTimeline" ascii fullword 18 | $s5 = "_shellcode_32" fullword ascii 19 | $s6 = "todo: unknown 32-bit target" fullword ascii 20 | condition: 21 | uint16(0) == 0x5746 and 1 of them 22 | } 23 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/Yara-Rules/cve_rules/CVE-2018-20250.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP 6 | { 7 | meta: 8 | description = "Generic rule for hostile ACE archive using CVE-2018-20250" 9 | author = "xylitol@temari.fr" 10 | date = "2019-03-17" 11 | reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/" 12 | // May only the challenge guide you 13 | strings: 14 | $string1 = "**ACE**" ascii wide 15 | $string2 = "*UNREGISTERED VERSION*" ascii wide 16 | // $hexstring1 = C:\C:\ 17 | $hexstring1 = {?? 3A 5C ?? 3A 5C} 18 | // $hexstring2 = C:\C:C:.. 19 | $hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E} 20 | condition: 21 | $string1 at 7 and $string2 at 31 and 1 of ($hexstring*) 22 | } 23 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/Yara-Rules/webshells/WShell_ASPXSpy.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | rule Backdoor_WebShell_asp : ASPXSpy 6 | { 7 | meta: 8 | description= "Detect ASPXSpy" 9 | author = "xylitol@temari.fr" 10 | date = "2019-02-26" 11 | // May only the challenge guide you 12 | strings: 13 | $string1 = "CmdShell" wide ascii 14 | $string2 = "ADSViewer" wide ascii 15 | $string3 = "ASPXSpy.Bin" wide ascii 16 | $string4 = "PortScan" wide ascii 17 | $plugin = "Test.AspxSpyPlugins" wide ascii 18 | 19 | condition: 20 | 3 of ($string*) or $plugin 21 | } 22 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/Yara-Rules/webshells/WShell_PHP_Anuna.yar: -------------------------------------------------------------------------------- 1 | /* 2 | I first found this in May 2016, appeared in every PHP file on the 3 | server, cleaned it with `sed` and regex magic. Second time was 4 | in June 2016, same decoded content, different encoding/naming. 5 | 6 | https://www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99 7 | */ 8 | rule php_anuna 9 | { 10 | meta: 11 | author = "Vlad https://github.com/vlad-s" 12 | date = "2016/07/18" 13 | description = "Catches a PHP Trojan" 14 | strings: 15 | $a = /<\?php \$[a-z]+ = '/ 16 | $b = /\$[a-z]+=explode\(chr\(\([0-9]+[-+][0-9]+\)\)/ 17 | $c = /\$[a-z]+=\([0-9]+[-+][0-9]+\)/ 18 | $d = /if \(!function_exists\('[a-z]+'\)\)/ 19 | condition: 20 | all of them 21 | } 22 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/Yara-Rules/webshells/WShell_PHP_in_images.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Finds PHP code in JP(E)Gs, GIFs, PNGs. 3 | Magic numbers via Wikipedia. 4 | */ 5 | rule php_in_image 6 | { 7 | meta: 8 | author = "Vlad https://github.com/vlad-s" 9 | date = "2016/07/18" 10 | description = "Finds image files w/ PHP code in images" 11 | strings: 12 | $gif = /^GIF8[79]a/ 13 | $jfif = { ff d8 ff e? 00 10 4a 46 49 46 } 14 | $png = { 89 50 4e 47 0d 0a 1a 0a } 15 | 16 | $php_tag = "" 19 | $a4 = ".lockfile" 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Ransomware_Mespinoza.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Mespinoza_3adb59f5 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "3adb59f5-a4af-48f2-8029-874a62b23651" 5 | fingerprint = "f44a79048427e79d339d3b0ccaeb85ba6731d5548256a2615f32970dcf67578f" 6 | creation_date = "2021-08-05" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Ransomware.Mespinoza" 9 | reference_sample = "6f3cd5f05ab4f404c78bab92f705c91d967b31a9b06017d910af312fa87ae3d6" 10 | severity = 90 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Don't try to use backups because it were encrypted too." ascii fullword 17 | $a2 = "Every byte on any types of your devices was encrypted." ascii fullword 18 | $a3 = "n.pysa" wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Ransomware_Pandora.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Pandora_bca8ce23 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "bca8ce23-6722-4cda-b5fa-623eda4fca1b" 5 | fingerprint = "0da732f6bdf24f35dee3c1bf85435650a5ce9b5c6a93f01176659943c01ad711" 6 | creation_date = "2022-03-14" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Ransomware.Pandora" 9 | reference_sample = "2c940a35025dd3847f7c954a282f65e9c2312d2ada28686f9d1dc73d1c500224" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "/c vssadmin.exe delete shadows /all /quiet" wide fullword 17 | $a2 = "\\Restore_My_Files.txt" wide fullword 18 | $a3 = ".pandora" wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Ransomware_Ransomexx.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Ransomexx_fabff49c { 2 | meta: 3 | author = "Elastic Security" 4 | id = "fabff49c-8e1a-4020-b081-2f432532e529" 5 | fingerprint = "a7a1e6d5fafdddc7d4699710edf407653968ffd40747c50f26ef63a6cb623bbe" 6 | creation_date = "2021-08-07" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Ransomware.Ransomexx" 9 | reference_sample = "480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "ransom.exx" ascii fullword 17 | $a2 = "Infrastructure rebuild will cost you MUCH more." wide fullword 18 | $a3 = "Your files are securely ENCRYPTED." wide fullword 19 | $a4 = "delete catalog -quiet" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Ransomware_Rook.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Rook_ee21fa67 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ee21fa67-bd82-40fb-9c6d-bab5abfe14b3" 5 | fingerprint = "8ef731590e73f79a13d04db39e58b03d0a29fd8e46a0584b0fcaf57ac0efe473" 6 | creation_date = "2022-01-14" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Ransomware.Rook" 9 | reference_sample = "c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 01 75 09 8B C3 FF C3 48 89 74 C5 F0 48 FF C7 48 83 FF 1A 7C DB } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Ransomware_Royal.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Royal_b7d42109 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "b7d42109-f327-4ec3-86ac-d1ebb9478860" 5 | fingerprint = "ff518f25b39b02769b67c437f38958d14e4e8f50b91f4c73591203da297a5d2a" 6 | creation_date = "2022-11-04" 7 | last_modified = "2022-12-20" 8 | threat_name = "Windows.Ransomware.Royal" 9 | reference_sample = "491c2b32095174b9de2fd799732a6f84878c2e23b9bb560cd3155cbdc65e2b80" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Try Royal today and enter the new era of data security" ascii fullword 17 | $a2 = "If you are reading this, it means that your system were hit by Royal ransomware." ascii fullword 18 | $a3 = "http://royal" 19 | $a4 = "\\README.TXT" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Ransomware_Stop.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Ransomware_Stop_1e8d48ff { 2 | meta: 3 | author = "Elastic Security" 4 | id = "1e8d48ff-e0ab-478d-8268-a11f2e87ab79" 5 | fingerprint = "715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb" 6 | creation_date = "2021-06-10" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Ransomware.Stop" 9 | reference_sample = "821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = "E:\\Doc\\My work (C++)\\_Git\\Encryption\\Release\\encrypt_win_api.pdb" ascii fullword 17 | $b = { 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF } 18 | condition: 19 | any of them 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Rootkit_R77.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Rootkit_R77_5bab748b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "5bab748b-8576-4967-9b50-a3778db1dd71" 5 | fingerprint = "2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa" 6 | creation_date = "2022-03-04" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Rootkit.R77" 9 | reference_sample = "cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_A310logger.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_A310logger_520cd7ec { 2 | meta: 3 | author = "Elastic Security" 4 | id = "520cd7ec-840c-4d45-961b-8bc5e329c52f" 5 | fingerprint = "f4ee88e555b7bd0102403cc804372f5376debc59555e8e7b4a16e18b04d1b314" 6 | creation_date = "2022-01-11" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.A310logger" 9 | reference_sample = "60fb9597e5843c72d761525f73ca728409579d81901860981ebd84f7d153cfa3" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "/dumps9taw" ascii fullword 17 | $a2 = "/logstatus" ascii fullword 18 | $a3 = "/checkprotection" ascii fullword 19 | $a4 = "[CLIPBOARD]<<" wide fullword 20 | $a5 = "&chat_id=" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_ArkeiStealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_ArkeiStealer_84c7086a { 2 | meta: 3 | author = "Elastic Security" 4 | id = "84c7086a-abc3-4b97-b325-46a078b90a95" 5 | fingerprint = "f1d701463b0001de8996b30d2e36ddecb93fe4ca2a1a26fc4fcdaeb0aa3a3d6d" 6 | creation_date = "2022-02-17" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.ArkeiStealer" 9 | reference_sample = "708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 01 89 55 F4 8B 45 F4 3B 45 10 73 31 8B 4D 08 03 4D F4 0F BE 19 8B } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Babylonrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Babylonrat_0f66e73b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "0f66e73b-7824-46b6-a9e6-5abf018c9ffa" 5 | fingerprint = "3998824e381f51aaa2c81c12d4c05157c642d8aef39982e35fa3e124191640ea" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Babylonrat" 9 | reference_sample = "4278064ec50f87bb0471053c068b13955ed9d599434e687a64bf2060438a7511" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "BabylonRAT" wide fullword 17 | $a2 = "Babylon RAT Client" wide fullword 18 | $a3 = "ping 0 & del \"" wide fullword 19 | $a4 = "\\%Y %m %d - %I %M %p" wide fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Backoff.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Backoff_22798f00 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "22798f00-ff2a-4f5f-a9ef-fab6d04ca679" 5 | fingerprint = "a45fc701844e6e0cfba5d8ef90d00960b5817af66e6b3d889a54d33539cd5d41" 6 | creation_date = "2022-08-10" 7 | last_modified = "2022-09-29" 8 | threat_name = "Windows.Trojan.Backoff" 9 | severity = 100 10 | arch_context = "x86" 11 | scan_context = "file, memory" 12 | license = "Elastic License v2" 13 | os = "windows" 14 | strings: 15 | $str1 = "\\nsskrnl" fullword 16 | $str2 = "Upload KeyLogs" fullword 17 | $str3 = "&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s" fullword 18 | $str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword 19 | $str5 = "\\OracleJava\\Log.txt" fullword 20 | $str6 = "[Ctrl+%c]" fullword 21 | condition: 22 | 3 of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Bandook.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Bandook_38497690 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "38497690-6663-47c9-a864-0bbe6a3f7a8b" 5 | fingerprint = "b6debea805a8952b9b7473ad7347645e4aced3ecde8d6e53fa2d82c35b285b3c" 6 | creation_date = "2022-08-10" 7 | last_modified = "2022-09-29" 8 | threat_name = "Windows.Trojan.Bandook" 9 | reference_sample = "4d079586a51168aac708a9ab7d11a5a49dfe7a16d9ced852fbbc5884020c0c97" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "%s~!%s~!%s~!%s~!%s~!%s~!" 17 | $str2 = "ammyy.abc" 18 | $str3 = "StealUSB" 19 | $str4 = "DisableMouseCapture" 20 | $str5 = "%sSkype\\%s\\config.xml" 21 | $str6 = "AVE_MARIA" 22 | condition: 23 | 3 of them 24 | } 25 | 26 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_CaesarKbd.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_CaesarKbd_32bb198b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "32bb198b-ec03-4628-8e9b-bc36c2525ec7" 5 | fingerprint = "54ed92761bb619ae4dcec9c27127d6c2a74a575916249cd5db24b8deb2ee0588" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-06-09" 8 | threat_name = "Windows.Trojan.CaesarKbd" 9 | reference_sample = "d4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "CaesarKbd_IOCtrl" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_DBatLoader.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DBatLoader_f93a8e90 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "f93a8e90-10ac-44de-ac3b-c0e976628e98" 5 | fingerprint = "81b87663fbad9854430e5c4dcade464a15b995e645f9993a3e234593ee4df901" 6 | creation_date = "2022-03-11" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.DBatLoader" 9 | reference_sample = "f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { FF 00 74 17 8B 45 E8 0F B6 7C 18 FF 66 03 7D EC 66 0F AF 7D F4 66 03 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_DarkVNC.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DarkVNC_bd803c2e { 2 | meta: 3 | author = "Elastic Security" 4 | id = "bd803c2e-77bd-4b8c-bdfa-11a9bd54a454" 5 | fingerprint = "131f4b3ef5b01720a52958058ecc4c3681ed0ca975a1a06cd034d7205680e710" 6 | creation_date = "2023-01-23" 7 | last_modified = "2023-02-01" 8 | threat_name = "Windows.Trojan.DarkVNC" 9 | reference_sample = "0fcc1b02fdaf211c772bd4fa1abcdeb5338d95911c226a9250200ff7f8e45601" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "BOT-%s(%s)_%S-%S%u%u" wide fullword 17 | $a2 = "{%08X-%04X-%04X-%04X-%08X%04X}" wide fullword 18 | $a3 = "monitor_off / monitor_on" ascii fullword 19 | $a4 = "bot_shell >" ascii fullword 20 | $a5 = "keyboard and mouse are blocked !" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Darkcomet.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Darkcomet_1df27bcc { 2 | meta: 3 | author = "Elastic Security" 4 | id = "1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63" 5 | fingerprint = "63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b" 6 | creation_date = "2021-08-16" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Darkcomet" 9 | reference_sample = "7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "BTRESULTHTTP Flood|Http Flood task finished!|" ascii fullword 17 | $a2 = "is now open!|" ascii fullword 18 | $a3 = "ActiveOnlineKeylogger" ascii fullword 19 | $a4 = "#BOT#RunPrompt" ascii fullword 20 | $a5 = "GETMONITORS" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_DiamondFox.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_DiamondFox_18bc11e3 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "18bc11e3-5872-40b0-a3b7-cef4b32fac15" 5 | fingerprint = "6f908d11220e218a7b59239ff3cc00c7e273fb46ec99ef7ae37e4aceb4de7831" 6 | creation_date = "2022-03-02" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.DiamondFox" 9 | reference_sample = "a44c46d4b9cf1254aaabd1e689f84c4d2c3dd213597f827acabface03a1ae6d1" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "\\wscript.vbs" wide fullword 17 | $a2 = "\\snapshot.jpg" wide fullword 18 | $a3 = "&soft=" wide fullword 19 | $a4 = "ping -n 4 127.0.0.1 > nul" wide fullword 20 | $a5 = "Select Name from Win32_Process Where Name = '" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Farfli.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Farfli_85d1bcc9 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "85d1bcc9-c3c7-454c-a77f-0e0de933c4c3" 5 | fingerprint = "56a5e4955556d08b80849ea5775f35f5a32999d6b5df92357ab142a4faa74ac3" 6 | creation_date = "2022-02-17" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.Farfli" 9 | reference_sample = "e3e9ea1b547cc235e6f1a78b4ca620c69a54209f84c7de9af17eb5b02e9b58c3" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { AB 66 AB C6 45 D4 25 C6 45 D5 73 C6 45 D6 5C C6 45 D7 25 C6 45 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Garble.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Garble_eae7f2f7 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "eae7f2f7-49b3-427c-9cf3-cce64d772c78" 5 | fingerprint = "b72b8d475ef50a5e703d741f195d8ce0916f46ee5744c5bc7c8d452ab23df388" 6 | creation_date = "2022-06-08" 7 | last_modified = "2022-09-29" 8 | threat_name = "Windows.Trojan.Garble" 9 | reference_sample = "4820a1ec99981e03675a86c4c01acba6838f04945b5f753770b3de4e253e1b8c" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = ".\"G!-$G#-&J%.(G'-*G)-,J+..G--0G/-2J1.4G3-6G5-8J7.:G9-J=+@A?-BAA*DAC*FAE*HFG+JAI-LAK*NAM*PAO*RFQ+TAS-VAU9" 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Gh0st.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Gh0st_ee6de6bc { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ee6de6bc-1648-4a77-9607-e2a211c7bda4" 5 | fingerprint = "3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455" 6 | creation_date = "2021-06-10" 7 | last_modified = "2021-08-23" 8 | description = "Identifies a variant of Gh0st Rat" 9 | threat_name = "Windows.Trojan.Gh0st" 10 | reference_sample = "ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d" 11 | severity = 100 12 | arch_context = "x86" 13 | scan_context = "file, memory" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $a1 = ":]%d-%d-%d %d:%d:%d" ascii fullword 18 | $a2 = "[Pause Break]" ascii fullword 19 | $a3 = "f-secure.exe" ascii fullword 20 | $a4 = "Accept-Language: zh-cn" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Hancitor.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Hancitor_6738d84a { 2 | meta: 3 | author = "Elastic Security" 4 | id = "6738d84a-7393-4db2-97cc-66f471b5699a" 5 | fingerprint = "44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912" 6 | creation_date = "2021-06-17" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Trojan.Hancitor" 9 | reference_sample = "a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d" 17 | $b1 = "Rundll32.exe %s, start" ascii fullword 18 | $b2 = "MASSLoader.dll" ascii fullword 19 | condition: 20 | $a1 or all of ($b*) 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Hawkeye.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Hawkeye_77c36ace { 2 | meta: 3 | author = "Elastic Security" 4 | id = "77c36ace-3857-43f8-a6de-596ba7964b6f" 5 | fingerprint = "c9a1c61b4fa78c46d493e1b307e9950bd714ba4e5a6249f15a3b86a74b7638e5" 6 | creation_date = "2021-08-16" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Hawkeye" 9 | reference_sample = "28e28025060f1bafd4eb96c7477cab73497ca2144b52e664b254c616607d94cd" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Logger - Key Recorder - [" wide fullword 17 | $a2 = "http://whatismyipaddress.com/" wide fullword 18 | $a3 = "Keylogger Enabled: " wide fullword 19 | $a4 = "LoadPasswordsSeaMonkey" wide fullword 20 | $a5 = "\\.minecraft\\lastlogin" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Jupyter.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Jupyter_56152e31 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "56152e31-77c6-49fa-bbc5-c3630f11e633" 5 | fingerprint = "9cccc2e3d4cfe9ff090d02b143fa837f4da0c229426435b4e097f902e8c5fb01" 6 | creation_date = "2021-07-22" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Trojan.Jupyter" 9 | reference_sample = "ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "%appdata%\\solarmarker.dat" ascii fullword 17 | $a2 = "\\AppData\\Roaming\\solarmarker.dat" wide fullword 18 | $b1 = "steal_passwords" ascii fullword 19 | $b2 = "jupyter" ascii fullword 20 | condition: 21 | 1 of ($a*) or 2 of ($b*) 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Limerat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Limerat_24269a79 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "24269a79-0172-4da5-9b4d-f61327072bf0" 5 | fingerprint = "cb714cd787519216d25edaad9f89a9c0ce1b8fbbbcdf90bda4c79f5d85fdf381" 6 | creation_date = "2021-08-17" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Limerat" 9 | reference_sample = "ec781a714d6bc6fac48d59890d9ae594ffd4dbc95710f2da1f1aa3d5b87b9e01" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr \"'" wide fullword 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Lucifer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Lucifer_ce9d4cc8 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ce9d4cc8-8f16-4272-a54b-e500d4edea9b" 5 | fingerprint = "77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55" 6 | creation_date = "2022-02-17" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.Lucifer" 9 | reference_sample = "1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Lurker.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Lurker_0ee51802 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "0ee51802-4ff3-4edf-95ed-bb0338ff25d9" 5 | fingerprint = "c30bc4e25c1984268a3bb44c59081131d1e81254b94734f6af2b47969c0acd0e" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-06-09" 8 | threat_name = "Windows.Trojan.Lurker" 9 | reference_sample = "5718fd4f807e29e48a8b6a6f4484426ba96c61ec8630dc78677686e0c9ba2b87" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\Device\\ZHWLurker0410" wide fullword 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Merlin.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Merlin_e8ecb3be { 2 | meta: 3 | author = "Elastic Security" 4 | id = "e8ecb3be-edba-4617-b4df-9d5b6275d310" 5 | fingerprint = "54e03337930d74568a91e797cfda3b7bfbce3aad29be2543ed58c51728d8e185" 6 | creation_date = "2022-01-05" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.Merlin" 9 | reference_sample = "768c120e63d3960a0842dcc538749955ab7caabaeaf3682f6d1e30666aac65a8" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = { AF F0 4C 01 F1 4C 8B B4 24 A8 00 00 00 4D 0F AF F4 4C 01 F1 4C 8B B4 24 B0 00 } 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Octopus.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Octopus_15813e26 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "15813e26-77f8-46cf-a6a3-ae081925b85a" 5 | fingerprint = "a3294547f7e3cead0cd64eb3d2e7dbd8ccfc4d9eedede240a643c8cd114cbcce" 6 | creation_date = "2021-11-10" 7 | last_modified = "2022-01-13" 8 | description = "Identifies Octopus, an Open source pre-operation C2 server based on Python and PowerShell" 9 | threat_name = "Windows.Trojan.Octopus" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a = "C:\\Users\\UNKNOWN\\source\\repos\\OctopusUnmanagedExe\\OctopusUnmanagedExe\\obj\\x64\\Release\\SystemConfiguration.pdb" ascii fullword 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_OskiStealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_OskiStealer_a158b1e3 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "a158b1e3-21b7-4009-9646-6bee9bde98ad" 5 | fingerprint = "3996a89d37494b118654f3713393f415c662850a5a76afa00e83f9611aee3221" 6 | creation_date = "2022-03-21" 7 | last_modified = "2022-04-12" 8 | threat_name = "Windows.Trojan.OskiStealer" 9 | reference_sample = "568cd515c9a3bce7ef21520761b02cbfc95d8884d5b2dc38fc352af92356c694" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "\"os_crypt\":{\"encrypted_key\":\"" ascii fullword 17 | $a2 = "%s / %s" ascii fullword 18 | $a3 = "outlook.txt" ascii fullword 19 | $a4 = "GLoX6gmCFw==" ascii fullword 20 | $a5 = "KaoQpEzKSjGm8Q==" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Pandastealer.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Pandastealer_8b333e76 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "8b333e76-f723-4093-ad72-2f5d42aaa9c9" 5 | fingerprint = "873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Pandastealer" 9 | reference_sample = "ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "] - [user: " ascii fullword 17 | $a2 = "[-] data unpacked failed" ascii fullword 18 | $a3 = "[+] data unpacked" ascii fullword 19 | $a4 = "\\history\\" ascii fullword 20 | $a5 = "PlayerName" ascii fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_ProtectS.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_ProtectS_9f6eaa90 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9f6eaa90-b3d4-4f0f-a81e-8010be0a6d36" 5 | fingerprint = "46bf59901876794dcc338923076939d765d3ce7f14d784b9687fbc05461ed6b4" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-06-09" 8 | threat_name = "Windows.Trojan.ProtectS" 9 | reference_sample = "c0330e072b7003f55a3153ac3e0859369b9c3e22779b113284e95ce1e2ce2099" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\ProtectS.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Remcos.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Remcos_b296e965 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "b296e965-a99e-4446-b969-ba233a2a8af4" 5 | fingerprint = "a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d" 6 | creation_date = "2021-06-10" 7 | last_modified = "2021-08-23" 8 | threat_name = "Windows.Trojan.Remcos" 9 | reference_sample = "0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Remcos restarted by watchdog!" ascii fullword 17 | $a2 = "Mutex_RemWatchdog" ascii fullword 18 | $a3 = "%02i:%02i:%02i:%03i" 19 | $a4 = "* Remcos v" ascii fullword 20 | condition: 21 | 2 of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Remotemanipulator.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Remotemanipulator_9ec52153 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9ec52153-3b62-432d-b87c-895035df1a46" 5 | fingerprint = "02220e8af70ecffb3a7585f756c59ef5d9e17e6690c36d6bffc458e1d17dbd0c" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Remotemanipulator" 9 | reference_sample = "1dd15c830c0a159b53ed21b8c2ce1b7e8093256368d7b96c1347c6851ee6c4f6" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "killself.bat" wide fullword 17 | $a2 = "rutserv.exe" wide fullword 18 | $a3 = "rfusclient.exe" wide fullword 19 | $a4 = "install.log" wide fullword 20 | $a5 = "Unable to create Agent's path." wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Revengerat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Revengerat_db91bcc6 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "db91bcc6-024d-42da-8d0a-bd69374bf622" 5 | fingerprint = "9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666" 6 | creation_date = "2021-09-02" 7 | last_modified = "2022-01-13" 8 | threat_name = "Windows.Trojan.Revengerat" 9 | reference_sample = "30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "Revenge-RAT" wide fullword 17 | $a2 = "SELECT * FROM FirewallProduct" wide fullword 18 | $a3 = "HKEY_CURRENT_USER\\SOFTWARE\\" wide fullword 19 | $a4 = "get_MachineName" ascii fullword 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_WhisperGate.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_WhisperGate_9192618b { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9192618b-4f3e-4503-a97f-3c4420fb79e0" 5 | fingerprint = "21f2a5b730a86567e68491a0d997fc52ba37f28b2164747240a74c225be3c661" 6 | creation_date = "2022-01-17" 7 | last_modified = "2022-01-17" 8 | threat_name = "Windows.Trojan.WhisperGate" 9 | reference_sample = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "https://cdn.discordapp.com/attachments/" wide 17 | $a2 = "DxownxloxadDxatxxax" wide fullword 18 | $a3 = "powershell" wide fullword 19 | $a4 = "-enc UwB0AGEAcgB0AC" wide fullword 20 | $a5 = "Ylfwdwgmpilzyaph" wide fullword 21 | condition: 22 | all of them 23 | } 24 | 25 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_Trojan_Xpertrat.yar: -------------------------------------------------------------------------------- 1 | rule Windows_Trojan_Xpertrat_ce03c41d { 2 | meta: 3 | author = "Elastic Security" 4 | id = "ce03c41d-d5c3-43f5-b3ca-f244f177d710" 5 | fingerprint = "8aa4336ba6909c820f1164c78453629959e28cb619fda45dbe46291f9fbcbec4" 6 | creation_date = "2021-08-06" 7 | last_modified = "2021-10-04" 8 | threat_name = "Windows.Trojan.Xpertrat" 9 | reference_sample = "d7f2fddb43eb63f9246f0a4535dfcca6da2817592455d7eceaacde666cf1aaae" 10 | severity = 100 11 | arch_context = "x86" 12 | scan_context = "file, memory" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $a1 = "[XpertRAT-Mutex]" wide fullword 17 | $a2 = "XPERTPLUGIN" wide fullword 18 | $a3 = "keylog.tmp" wide fullword 19 | condition: 20 | all of them 21 | } 22 | 23 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_ATSZIO.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_ATSZIO_e22cc429 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "e22cc429-0285-4ab1-ae35-7e905e467182" 5 | fingerprint = "21cf1d00acde85bdae8c4cf6d59b0d224458de30a32dbddebd99eab48e1126bb" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Name: ATSZIO.sys" 9 | threat_name = "Windows.VulnDriver.ATSZIO" 10 | reference_sample = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 41 00 54 00 53 00 5A 00 49 00 4F 00 2E 00 73 00 79 00 73 00 00 00 } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $original_file_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_Amifldrv.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Amifldrv_e387d5ad { 2 | meta: 3 | author = "Elastic Security" 4 | id = "e387d5ad-fde8-401b-bdcf-044c4f7f5fbd" 5 | fingerprint = "03f898088f37f3c9991fb70d7fb8548908cfac4e03bb2bfe88b11a65157909a8" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Amifldrv" 9 | reference_sample = "fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\amifldrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_AsIo.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_AsIo_5f9f29be { 2 | meta: 3 | author = "Elastic Security" 4 | id = "5f9f29be-9dbb-4d0f-84f5-7027c1413c2c" 5 | fingerprint = "82967badefb37a3964de583cb65f423afe46abc299d361c7a9cd407b146fd897" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.AsIo" 9 | reference_sample = "52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\AsIO.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_EneIo.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_EneIo_6e01882f { 2 | meta: 3 | author = "Elastic Security" 4 | id = "6e01882f-8394-4e32-8049-fa9c4588b087" 5 | fingerprint = "8077212bfbadc7f47f2eb76f123a6e4bcda12009293cb975bbeaba77f8c9dcd0" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.EneIo" 9 | reference_sample = "175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\Release\\EneIo.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_Fidpci.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Fidpci_cb7f69b5 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "cb7f69b5-5421-493b-adf7-75130d19b001" 5 | fingerprint = "19da3f67e302d0a70d40533553a19ba91a99a83609c01c8f296834a93fa325e2" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Fidpci" 9 | reference_sample = "3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\fidpcidrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_Gvci.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Gvci_f5a35359 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "f5a35359-ee16-444a-aafd-c4ef162e46d4" 5 | fingerprint = "590e6b10c8bd1c299eb4ecd1368ac05d8811147c7ce3976de5e86d1a6d8bc14f" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Gvci" 9 | reference_sample = "42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\GVCIDrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_Lha.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Lha_f72bff9a { 2 | meta: 3 | author = "Elastic Security" 4 | id = "f72bff9a-046c-4e02-9e11-4787c8aada75" 5 | fingerprint = "3b464386a60747131012d8380a34bed9329b02ac5cdc7b69b951f4f681243f35" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Name: LHA.sys" 9 | threat_name = "Windows.VulnDriver.Lha" 10 | reference_sample = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 4C 00 48 00 41 00 2E 00 73 00 79 00 73 00 00 00 } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $original_file_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_ProcId.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_ProcId_86605fa9 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "86605fa9-bf1a-4c2c-87f5-cb656ebe4cf3" 5 | fingerprint = "6d8d926efd98d6eaa1d06d39fb5babf70abf6f0e639fb74f29f65836a79e4743" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.ProcId" 9 | reference_sample = "b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\piddrv64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_RtCore.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_RtCore_4eeb2ce5 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "4eeb2ce5-e481-4e9c-beda-2b01f259ed96" 5 | fingerprint = "cebca7dc572afccf4eb600980b9cbaef0878213f91c04b4605a0cf4d0e5e541f" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-08-30" 8 | threat_name = "Windows.VulnDriver.RtCore" 9 | reference_sample = "01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\Device\\RTCore64" wide fullword 17 | $str2 = "Kaspersky Lab Anti-Rootkit Monitor Driver" wide fullword 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 and not $str2 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_Speedfan.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Speedfan_9b590eee { 2 | meta: 3 | author = "Elastic Security" 4 | id = "9b590eee-5938-4293-afac-c9e730753413" 5 | fingerprint = "c58a8c3bfa710896c35262cc880b9afbadcdfdd73d9969c707e7b5b64e6a70b5" 6 | creation_date = "2022-04-07" 7 | last_modified = "2022-04-07" 8 | description = "Subject: Sokno S.R.L." 9 | threat_name = "Windows.VulnDriver.Speedfan" 10 | reference_sample = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" 11 | severity = 50 12 | arch_context = "x86" 13 | scan_context = "file" 14 | license = "Elastic License v2" 15 | os = "windows" 16 | strings: 17 | $subject_name = { 06 03 55 04 03 [2] 53 6F 6B 6E 6F 20 53 2E 52 2E 4C 2E } 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $subject_name 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_WinFlash.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_WinFlash_881758da { 2 | meta: 3 | author = "Elastic Security" 4 | id = "881758da-760c-4c50-81f2-8bd698972ba2" 5 | fingerprint = "1c64ee1c3fc6bf93e207810a473367c404c824d0eaba15910b00016e23d53637" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.WinFlash" 9 | reference_sample = "8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $str1 = "\\WinFlash64.pdb" 17 | condition: 18 | int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 19 | } 20 | 21 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_rules/es_rules/Windows_VulnDriver_Zam.yar: -------------------------------------------------------------------------------- 1 | rule Windows_VulnDriver_Zam_928812a7 { 2 | meta: 3 | author = "Elastic Security" 4 | id = "928812a7-ac7c-47cf-9111-11470b661d46" 5 | fingerprint = "8e5db0d4fee806538929680e7d3521b111b0e09fcc3eba3c191f6787375999cc" 6 | creation_date = "2022-04-04" 7 | last_modified = "2022-04-04" 8 | threat_name = "Windows.VulnDriver.Zam" 9 | reference_sample = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" 10 | severity = 50 11 | arch_context = "x86" 12 | scan_context = "file" 13 | license = "Elastic License v2" 14 | os = "windows" 15 | strings: 16 | $pdb_64 = "AntiMalware\\bin\\zam64.pdb" 17 | $pdb_32 = "AntiMalware\\bin\\zam32.pdb" 18 | condition: 19 | int16(uint32(0x3C) + 0x5c) == 0x0001 and any of ($pdb_*) 20 | } 21 | 22 | -------------------------------------------------------------------------------- /yara_scanner_beta/yara_scanner.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoomaSec/RmTools/db80cb3f19c2f378e4cb6c0d2b3960ff0db0ea45/yara_scanner_beta/yara_scanner.exe --------------------------------------------------------------------------------