├── awesome-yara.png
├── LICENSE
├── .travis.yml
├── CONTRIBUTING.md
├── README_CN.md
└── README.md


/awesome-yara.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/product/awesome-yara/master/awesome-yara.png


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Creative Commons Attribution 4.0 International License (CC BY 4.0)
2 | 
3 | http://creativecommons.org/licenses/by/4.0/
4 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: ruby
2 | rvm:
3 |     - 2.2
4 | before_script:
5 |     - gem install awesome_bot
6 | script:
7 |     - awesome_bot README.md --white-list CONTRIBUTING.md
8 | 
9 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | ## Contributing
2 | 
3 | Pull requests and issues with suggestions are welcome! Please try to keep your changes
4 | cleanly formatted and alphabetized. By submitting a PR you agree to release your
5 | contributions under the terms of the [LICENSE](LICENSE).
6 | 


--------------------------------------------------------------------------------
/README_CN.md:
--------------------------------------------------------------------------------
  1 | <p align="center">
  2 |   <img height="128" src="./awesome-yara.png"  alt="Awesome YARA" title="Awesome YARA">
  3 | </p>
  4 | 
  5 | <h1 align="center">Awesome YARA</h1>
  6 | 
  7 | 精选的 Yara 规则、工具和相关资源的清单。本清单受到 [awesome-python](https://github.com/vinta/awesome-python) 与 [awesome-php](https://github.com/ziadoz/awesome-php) 的启发创建。
  8 | 
  9 | > YARA 是 YARA: Another Recursive Ancronym 或者 Yet Another Ridiculous Acronym 的首字母缩写，怎么解释都可以。
 10 | >
 11 | > -- *[Victor M. Alvarez (@plusvic)](https://twitter.com/plusvic/status/778983467627479040)*
 12 | 
 13 | [YARA](https://virustotal.github.io/yara/) 是为恶意软件研究人员/所有人准备的模式匹配瑞士军刀，由 [@plusvic](https://github.com/plusvic/) 与 [@VirusTotal](https://github.com/VirusTotal) 开发，可在 GitHub 的[仓库](https://github.com/virustotal/yara) 中查看。
 14 | 
 15 | ### 目录
 16 | 
 17 | - [规则](#规则)
 18 | - [工具](#工具)
 19 | - [服务](#服务)
 20 | - [语法高亮](#语法高亮)
 21 | - [人员](#人员)
 22 | - [相关列表](#相关列表)
 23 | - [贡献](#贡献)
 24 | 
 25 | ### 图例
 26 | 
 27 | * :eyes: - 维护积极，值得一看
 28 | * :gem: - 创新且富有教育意义
 29 | * :sparkles: - 过去半年新兴的好东西
 30 | * :trophy: - 绝对不能错过
 31 | 
 32 | ## 规则
 33 | 
 34 | * [AlienVault Labs Rules](https://github.com/AlienVault-Labs/AlienVaultLabs/tree/master/malware_analysis)
 35 |     - [AlienVault Labs](https://cybersecurity.att.com/blogs/labs-research) 提供的工具、签名和规则的仓库。可通过 .yar 和 .yara 扩展名找到 Yara 规则，包括 APT 检测到通用的沙盒/虚拟机检测。最后更新时间为 2016 年 1 月。
 36 | * [Apple OSX](https://gist.github.com/pedramamini/c586a151a978f971b70412ca4485c491)
 37 |     - 近 40 个检测 macOS 上恶意软件的签名。XProtect.yara 文件位于 /System/Library/CoreServices/XProtect.bundle/Contents/Resources/。
 38 | * [bamfdetect rules](https://github.com/bwall/bamfdetect/tree/master/BAMF_Detect/modules/yara)
 39 |     - Brian Wallace 提供的规则集合。
 40 | * [bartblaze YARA rules](https://github.com/bartblaze/Yara-rules) :eyes:
 41 |     - 个人 Yara 签名库。
 42 | * [BinaryAlert YARA Rules](https://github.com/airbnb/binaryalert/tree/master/rules/public)
 43 |     - 为配合 BinaryAlert 工具，AirBnB 提供了数十条规则，在 Linux、Windows 与 OS X 平台上检测恶意软件。
 44 | * [Burp YARA Rules](https://github.com/codewatchorg/Burp-Yara-Rules)
 45 |     - 通过 Yara-Scanner 扩展与 Burp Proxy 一起使用的 Yara 规则集合。主要针对通过 HTTP 传输的非 EXE 恶意软件，包含 HTML、Java、Flash、Office、PDF 文件等。最新更新于 2016 年 6 月。
 46 | * [BinSequencer](https://github.com/karttoon/binsequencer)
 47 |     - 在一组样本文件中找到通用的字节模式，据此生成 Yara 签名。
 48 | * [CAPE Rules](https://github.com/kevoreilly/CAPEv2/tree/master/data/yara) :eyes:
 49 |     - 与 Cuckoo 沙盒的 Config And Payload Extraction（CAPE）扩展绑定的规则集。
 50 | * [CDI Rules](https://github.com/CyberDefenses/CDI_yara)
 51 |     - [CyberDefenses](https://cyberdefenses.com/blog/) 提供的 Yara 签名库。
 52 | * [Citizen Lab Malware Signatures](https://github.com/citizenlab/malware-signatures)
 53 |     - Citizen Lab 提供的 Yara 签名库。包含许多恶意软件家族的数十个签名，最后更新时间为 2016 年 11 月。
 54 | * [ConventionEngine Rules](https://github.com/stvemillertime/ConventionEngine) :sparkles:
 55 |     - 检测看起来很独特、异常或明显带有恶意关键字的 PDB 路径的 Yara 规则。
 56 | * [Deadbits Rules](https://github.com/deadbits/yara-rules) :eyes:
 57 |     - Splunk 的首席威胁情报分析师 [Adam Swanda](https://www.deadbits.org/) 提供的 Yara 规则库，对外披露对恶意软件的研究进展。
 58 | * [Didier Stevens Rules](https://github.com/DidierStevens/DidierStevensSuite) :gem:
 59 |     - Didier Stevens 提供的规则集合，用于检查 OLE/RTF/PDF 的工具，这些规则通常是为威胁狩猎而写的，新的规则会在 NVISO 的[博客](https://blog.nviso.eu/)中发布。
 60 | * [ESET IOCs](https://github.com/eset/malware-ioc/) :eyes:
 61 |     - ESET 提供的 Yara 签名和 Snort 签名库。可以通过文件扩展名搜索 Yara 规则，仓库每月更新。在 [ESET WeLiveSecurity Blog](https://www.welivesecurity.com/) 上也经常披露 IOC 指标。
 62 | * [Fidelis Rules](https://github.com/fideliscyber/indicators/tree/master/yararules)
 63 |     - Fidelis Cyber 的仓库中有 6 个 Yara 规则，大约每个季度更新一次。
 64 | * [FireEye](https://github.com/fireeye/red_team_tool_countermeasures)
 65 |     - FireEye 红队工具检测签名库。
 66 | * [Florian Roth Rules](https://github.com/Neo23x0/signature-base/tree/master/yara) :eyes: :gem:
 67 |     - Florian Roth 不断更新 IOC 与 Yara 规则集合。有数十条积极维护的规则，涵盖了多种威胁类型。
 68 | * [Florian Roth's IDDQD Rule](https://gist.github.com/Neo23x0/f1bb645a4f715cb499150c5a14d82b44)
 69 |     - 展示检测红队和威胁工具的 POC 规则。
 70 | * [f0wl yara_rules](https://github.com/f0wl/yara_rules)
 71 |     - https://dissectingmalwa.re/ 博客提供的 Yara 签名库。
 72 | * [Franke Boldewin Rules](https://github.com/fboldewin/YARA-rules)
 73 |     - [@r3c0nst](https://twitter.com/@r3c0nst) 提供的 Yara 规则集。
 74 | * [FSF Rules](https://github.com/EmersonElectricCo/fsf/tree/master/fsf-server/yara)
 75 |     - 用于 EmersonElectricCo FSF 的文件类型检测规则。
 76 | * [GoDaddy ProcFilter Rules](https://github.com/godaddy/yara-rules)
 77 |     - 由 GoDaddy 发布的数十条可与 ProcFilter 一起使用的规则，包括检测壳、mimikatz 和特定的恶意软件。
 78 | * [h3x2b Rules](https://github.com/h3x2b/yara-rules) :gem:
 79 |     - 由 h3x2b 提供的规则集，可用于辅助逆向工程。例如标识加密代码、高熵值代码（证书发现）、注入\Hook 代码等。
 80 | * [Icewater Rules](https://github.com/SupportIntelligence/Icewater)
 81 |     - Icewater.io 提供的自动生成的 Yara 规则集合。
 82 | * [imp0rtp3's Rules](https://github.com/imp0rtp3/yara-rules)
 83 |     - 包含基于浏览器的 Yara 规则库。
 84 | * [Intezer Rules](https://github.com/intezer/yara-rules) :sparkles:
 85 |     - Intezer 提供的 Yara 规则。
 86 | * [InQuest Rules](https://github.com/InQuest/yara-rules) :eyes:
 87 |     - InQuest 研究员发布的、针对 VirusTotal 的威胁狩猎规则。规则会不断更新，在 InQuest 的[博客](http://blog.inquest.net)上也会讨论新的发现。
 88 | * [jeFF0Falltrades Rules](https://github.com/jeFF0Falltrades/YARA-Signatures) :sparkles:
 89 |     - 各类恶意软件家族的 Yara 规则集。
 90 | * [kevthehermit Rules](https://github.com/kevthehermit/YaraRules)
 91 |     - Kevin Breen 个人的数十条规则，自 2016 年 2 月再未更新。
 92 | * [Koodous Community Rules](https://koodous.com/rulesets)
 93 |     - 社区驱动的 Android APK 恶意软件检测规则。
 94 | * [Loginsoft Rules](https://research.loginsoft.com/yara-rules/)
 95 |     - 针对 Microsoft Office 格式文件进行检测的 Yara 规则。
 96 | * [lw-yara](https://github.com/Hestat/lw-yara)
 97 |     - 用于扫描 Linux 服务器中的垃圾邮件、钓鱼网站和其他 Web 恶意程序的规则集。
 98 | * [NCC Group Rules](https://github.com/nccgroup/Cyber-Defence/tree/master/Signatures/yara) :eyes:
 99 |     - 由 NCC 的网络安全防御团队提供的 Yara 规则集。
100 | * [Malice.IO YARA Plugin Rules](https://github.com/malice-plugins/yara/tree/master/rules) :eyes:
101 |     - 多来源、有关 Malice.IO 框架的 Yara 规则集。
102 | * [Malpedia Auto Generated Rules](https://malpedia.caad.fkie.fraunhofer.de/api/get/yara/auto/zip) :sparkles:
103 |     - 包含由 Malpedia 的 YARA-Signator 自动创建的规则。
104 | * [Malpedia Auto Generated Rules Repo](https://github.com/malpedia/signator-rules) :sparkles:
105 |     - 请求访问更加容易的、Malpedia 自动生成的、基于代码的 YARA 规则规则库。
106 | * [McAfee Advanced Threat Research IOCs](https://github.com/advanced-threat-research/IOCs)
107 |     - 与 McAfee ATR 的博客和其他公开文章一起发布的 Yara 规则等。
108 | * [McAfee Advanced Threat Research Yara-Rules](https://github.com/advanced-threat-research/Yara-Rules)
109 |     - McAfee ATR Teams 提供的 Yara 规则集。
110 | * [mikesxrs YARA Rules Collection](https://github.com/mikesxrs/Open-Source-YARA-rules) :eyes: :trophy:
111 |     - 各种来源的开源 Yara 规则集合，包含超过 100 个类别、1500 个文件、4000 条规则，如果只能下载一个进行分析，那一定是这个。
112 | * [Patrick Olsen Rules](https://github.com/prolsen/yara-rules) :gem:
113 |     - 针对 RAT、文档、PCAP、可执行文件等恶意软件进行扫描的规则集，不幸的是在 2014 年就停止了更新。
114 | * [QuickSand Lite Rules](https://github.com/tylabs/quicksand_lite)
115 |     - 该仓库包含一个用 C 写的框架和一些用于恶意软件分析的独立工具，以及一些相关的 Yara 规则。
116 | * [Rastrea2r](https://github.com/rastrea2r/rastrea2r)
117 |     - 在几分钟内对数千个端点进行 IOC 扫描狩猎。
118 | * [ReversingLabs YARA Rules](https://github.com/reversinglabs/reversinglabs-yara-rules) :sparkles: :eyes:
119 |     - 由 ReversingLabs 提供的 Yara 规则集，包含 Exploit、窃密软件、勒索软件、木马与病毒等恶意软件类型。
120 | * [Securitymagic's YARA Rules](https://github.com/securitymagic/yara)
121 |     - 应对威胁的 Yara 规则。
122 | * [Sophos AI YaraML Rules](https://github.com/inv-ds-research/yaraml_rules)
123 |     - 自动创建的 Yara 规则库，每个目录下都包含 Yara 规则和相应的元数据（机器学习训练使用的文件哈希值和 ROC 曲线）。
124 | * [SpiderLabs Rules](https://github.com/SpiderLabs/malware-analysis/tree/master/Yara)
125 |     - SpiderLabs 提供的工具与脚本集合。只包含 3 个 Yara 规则，最后一次更新在 2015 年，但仍然值得一看。
126 | * [StrangeRealIntel's Daily IOCs](https://github.com/StrangerealIntel/DailyIOC) :gem: :sparkes: :eyes:
127 |     - 针对新兴威胁定期更新的 Yara 规则集合。
128 | * [t4d's PhishingKit-Yara-Rules](https://github.com/t4d/PhishingKit-Yara-Rules)
129 |     - 用于网络钓鱼工具包的 Yara 规则，基于 zip 压缩文件的原始格式分析发现目录与文件名。
130 | * [Telekom Security Malare Analysis Repository](https://github.com/telekom-security/malware_analysis)
131 |     - 包含在 telekom.com 博客上发布的脚本、签名和其他 IOC 指标。
132 | * [Tenable Rules](https://github.com/tenable/yara-rules)
133 |     - Tenable Network Security 提供的小型规则集合。
134 | * [TjadaNel Rules](https://github.com/tjnel/yara_repo)
135 |     - 针对恶意软件的小型规则集合。
136 | * [VectraThreatLab Rules](https://github.com/VectraThreatLab/reyara)
137 |     - 识别反逆向工程技术的 Yara 规则。
138 | * [Volexity - Threat-Intel](https://github.com/volexity/threat-intel) :sparkles: :gem:
139 |     - 包含 Volexity 通过博客公开披露的 IOC 信息。
140 | * [x64dbg Signatures](https://github.com/x64dbg/yarasigs) :gem:
141 |     - 识别加壳、编译器、加密的签名规则。
142 | * [YAIDS](https://github.com/wrayjustin/yaids) :gem: :sparkles:
143 |     - 使用 Yara 的多线程入侵检测系统，YAIDS 支持所有有效的 Yara 规则、模块与任何 PCAP 兼容数据流（网络、USB、蓝牙等）。
144 | * [YARA-FORENSICS](https://github.com/Xumeiquer/yara-forensics)
145 |     - 文件类型识别规则集合。
146 | * [yara4pentesters](https://github.com/DiabloHorn/yara4pentesters)
147 |     - 识别包含类似用户名、密码等信息文件的规则。
148 | * [YaraRules Project Official Repo](https://github.com/Yara-Rules/rules) :eyes:
149 |     - 社区不断更新维护的规则集。
150 | * [Yara-Unprotect](https://github.com/fr0gger/Yara-Unprotect)
151 |     - 为 Unprotect 创建的规则，用于检测恶意软件逃避技术。
152 | 
153 | ## 工具
154 | 
155 | * [AirBnB BinaryAlert](https://github.com/airbnb/binaryalert)
156 |     - 开源 AWS 管道，使用配置好的 Yara 签名扫描上传到 S3 中的所有文件。
157 | * [androguard](https://github.com/Koodous/androguard-yara)
158 |     - 集成 APK 分析的 Yara 模块。
159 | * [使用 YARA 规则审计 node_module](https://github.com/rpgeeganage/audit-node-modules-with-yara)
160 |     - 针对给定的 node_module 文件夹运行一组给定的 YARA 规则
161 | * [AutoYara](https://github.com/NeuromorphicComputationResearchProgram/AutoYara)
162 |     - 使用 Biclustering 自动生成 Yara 规则。 
163 | * [bamfdetect](https://github.com/bwall/bamfdetect)
164 |     - 从恶意软件中识别并提取信息。
165 | * [base64_substring](https://github.com/DissectMalware/base64_substring)
166 |     - 匹配基于 base64 编码数据的 Yara 规则。
167 | * [CAPE: Config And Payload Extraction](https://github.com/kevoreilly/CAPEv2) :eyes:
168 |     - 用于从恶意软件中提取 Payload 和配置文件的 Cuckoo 的扩展，首次运行检测恶意软件家族，根据不同的家族在二次执行时提取 Payload 和配置文件。
169 | * [CCCS-Yara](https://github.com/CybercentreCanada/CCCS-Yara)
170 |     - Yara 规则元数据规范和验证程序。
171 | * [clara](https://github.com/abhinavbom/clara) :sparkles:
172 |     - 实时 ClamAV + Yara 扫描 S3 存储桶。
173 | * [Cloudina Security Hawk](https://github.com/cloudina/hawk) :sparkles:
174 |     - 基于 CLAMAV 和 YARA 的云杀软扫描 API，适用于 AWS S3、AZURE Blob 和 GCP。
175 | * [CrowdStrike Feed Management System](https://github.com/CrowdStrike/CrowdFMS)
176 |     - 自动收集、处理来自 VirusTotal 的样本文件，基于 Yara 规则匹配结果进行处理。
177 | * [CSE-CST AssemblyLine](https://bitbucket.org/cse-assemblyline/alsvc_yara)
178 |     - 由加拿大通信安全机构（CSE）开源的 [AssemblyLine](https://cyber.gc.ca/en/assemblyline)，该工具用于分析恶意文件，也为 Yara 提供了接口。
179 | * [dnYara](https://github.com/airbus-cert/dnYara)
180 |     - 用于本地 Yara 库的多平台 .NET 库。
181 | * [ELAT](https://github.com/reed1713/ELAT)
182 |     - 使用 Yara 规则进行 Windows 事件日志分析。
183 | * [Emerson File Scanning Framework (FSF)](https://github.com/EmersonElectricCo/fsf)
184 |     - 模块化、递归文件扫描工具。
185 | * [factual-rules-generator](https://github.com/CIRCL/factual-rules-generator)
186 |     - 旨在从正在运行的系统中生成有关已安装软件的 Yara 规则的工具。
187 | * [Fastfinder](https://github.com/codeyourweb/fastfinder)
188 |     - 专为事件响应设计的跨平台（Windows、Linux）可疑文件查找工具，支持 MD5/SHA1/SHA256、字符/通配符、正则表达式和 Yara 规则。 
189 | * [findcrypt-yara](https://github.com/polymorf/findcrypt-yara) and [FindYara](https://github.com/OALabs/FindYara)
190 |     - 使用 Yara 规则扫描样本文件文件发现加密常量的 IDA Pro 插件。
191 | * [Fnord](https://github.com/Neo23x0/Fnord)
192 |     - 用于混淆代码的模式提取工具。
193 | * [generic-parser](https://github.com/uppusaikiran/generic-parser)
194 |     - 支持 Yara 的解析器，用于提取文件元信息、执行静态分析并检测文件中的宏代码。
195 | * [GoDaddy ProcFilter](https://github.com/godaddy/procfilter) :gem:
196 |     - ProcFilter 是内置 Yara 的 Windows 进程过滤工具，可以使用自定义的元标记对 Yara 规则进行检测，根据检测结果进行对应的响应处理。工具作为 Windows 服务运行，且与 Windows 的 ETW API 整合在一起，结果在 Windows 事件日志中可见。安装、启动和删除都可以动态完成，无需重新启动计算机。
197 | * [go-yara](https://github.com/hillu/go-yara)
198 |     - Yara 的 Go 接口。
199 | * [halogen](https://github.com/target/halogen)
200 |     - Halogen 是针对嵌入恶意文档中的图片自动创建 Yara 规则的工具。
201 | * [Hyara](https://github.com/hyuunnn/Hyara)
202 |     - 为 IDA Pro、Cutter 以及 BinaryNinja 提供的，为给定起始地址和终止地址之间的 ASCII 和十六进制字符串创建 Yara 规则的插件。
203 | * [IDA_scripts](https://github.com/swackhamer/IDA_scripts)
204 |     - 用于从可执行操作码（包括 .NET 在内）生成 Yara 签名的 IDAPython 脚本。
205 | * [ida_yara](https://github.com/alexander-hanel/ida_yara)
206 |     - 使用 Yara 扫描 IDB 内的数据。
207 | * [ida-yara-processor](https://github.com/bnbdr/ida-yara-processor)
208 |     - 用于编译好的 Yara 规则的 IDA Processor。
209 | * [InQuest ThreatKB](https://github.com/InQuest/ThreatKB)
210 |     - 基于 Yara 规则和 IOC 指标等知识的工作流管理。
211 | * [iocextract](https://github.com/InQuest/python-iocextract)
212 |     - IOC 提取工具，具备 Yara 规则的提取能力。
213 | * [Invoke-Yara](https://github.com/secabstraction/Yara)
214 |     - 在远程设备中运行 Yara 的 PowerShell 脚本。
215 | * [java2yara](https://github.com/fxb-cocacoding/java2yara)
216 |     - 通过 Java 生成 Yara 规则的库。
217 | * [KLara](https://github.com/KasperskyLab/klara)
218 |     - 使用 Python 写的分布式扫描系统，允许研究人员扫描样本库中的样本。
219 | * [Laika BOSS](https://github.com/lmco/laikaboss)
220 |     - 提供可扩展、灵活、详细的对象扫描和入侵检测系统。
221 |     - [Laika BOSS 白皮书](https://github.com/lmco/laikaboss/blob/master/LaikaBOSS_Whitepaper.pdf)
222 | * [libyara.NET](https://github.com/microsoft/libyara.NET)
223 |     - libyara 的 .NET 接口，基于 C++ CLI 构建。
224 | * [MalConfScan](https://github.com/JPCERTCC/MalConfScan)
225 |     - 提取已知恶意软件配置的 Volatility 插件，该工具在内存中搜索恶意软件并提取配置信息。
226 | * [malscan](https://github.com/usualsuspect/malscan)
227 |     - 使用 Yara 进行进程内存扫描，匹配中即执行 Python 脚本。
228 | * [MISP Threat Sharing](https://github.com/MISP/MISP)
229 |     - 包括 IOC、威胁情报、恶意样本在内的威胁情报平台，包括共享、生成和验证 Yara 规则的支持。
230 | * [MITRE MultiScanner](https://github.com/mitre/multiscanner)
231 |     - 通过自动为文件执行分析帮助用户评估一组文件。
232 | * [mkYARA](https://github.com/fox-it/mkYARA)
233 |     - 基于二进制代码创建 Yara 规则。
234 | * [mquery](https://github.com/CERT-Polska/mquery)
235 |     - 用于在大型数据集上快速进行 Yara 扫描的 Web 前端。
236 | * Nextron Systems OSS and Commercial Tools (Florian Roth: @Neo23x0)
237 |     - [Loki](https://github.com/Neo23x0/Loki) Pyton 实现的 IOC 与 Yara 规则扫描工具。（开源、免费）
238 |     - [THOR Lite](https://www.nextron-systems.com/thor-lite/) Go 实现的 IOC 与 Yara 规则扫描工具。（闭源、免费但需要注册）
239 | * [node-yara](https://github.com/nospaceships/node-yara)
240 |     - Yara 的 Node.js 接口。
241 | * [ocaml-yara](https://github.com/elastic/ocaml-yara)
242 |     - libyara 的 OCaml 接口。 
243 | * [OCYara](https://github.com/bandrel/OCyara)
244 |     - 对图片进行 OCR 再使用 Yara 进行扫描。
245 | * [PasteHunter](https://github.com/kevthehermit/PasteHunter)
246 |     - 使用 Yara 规则扫描 pastebin.com。
247 | * [plast](https://github.com/sk4la/plast)
248 |     - 使用 Yara 构建的检测、处理 IOC 指标的威胁狩猎工具。
249 | * [plyara](https://github.com/plyara/plyara)
250 |     - Python 编写的解析 Yara 规则工具。
251 | * [Polichombr](https://github.com/ANSSI-FR/polichombr)
252 |     - 具有 Yara 规则匹配和其他功能的恶意软件分析框架。
253 | * [PwC Cyber Threat Operations rtfsig](https://github.com/PwCUK-CTO/rtfsig)
254 |     - 简化对 RTF 文档中可能独特的部分进行签名。
255 | * [VirusTotalTools](https://github.com/silascutler/VirusTotalTools)
256 |     - 利用 VirusTotal 分析样本的工具，包括 VT_RuleMGR。
257 | * [QuickSand.io](http://quicksand.io/)
258 |     - 分析恶意文档的 Compact C 框架，包括 Web 界面和在线分析能力。
259 | * [shotgunyara](https://github.com/darienhuss/shotgunyara)
260 |     - 给定一个字符串，基于该字符串创建 255 个异或后的版本的 Yara 规则。
261 | * [spyre](https://github.com/spyre-project/spyre)
262 |     - 基于 Yara 的文件 IOC 扫描工具。
263 | * [static_file_analysis](https://github.com/lprat/static_file_analysis)
264 |     - 使用 clamscan 和 Yara 深度分析文件（doc、pdf、exe 等）
265 | * [stoQ](https://github.com/PUNCH-Cyber/stoq)
266 |     - 模块化和高度定制的框架，用于从多个不同数据源创建数据集。
267 | * [Strelka](https://github.com/target/strelka)
268 |     - 基于 Python3、ZeroMQ 和 Yara 构建的文件分析系统，用于威胁检测和情报收集。
269 | * [Sysmon EDR](https://github.com/ion-storm/sysmon-edr) :sparkles:
270 |     - YARA 扫描、进程终止、网络拦截以及更多 EDR 的功能。
271 | * [SwishDbgExt](https://github.com/comaeio/SwishDbgExt)
272 |     - 使用 Yara 规则在进程内存中进行匹配的 WinDbg 扩展。
273 | * [ThreatIngestor](https://github.com/InQuest/ThreatIngestor/)
274 |     - 多来源信息自动提取 IOC（包括 Yara 在内）。
275 | * [UXProtect](https://digitasecurity.com/uxprotect/)
276 |     - Apple 内置的 XProtect 进行 Yara 扫描。
277 | * [VTCodeSimilarity-YaraGen](https://github.com/arieljt/VTCodeSimilarity-YaraGen) :gem: :sparkles:
278 |     - 由 [@arieljt](https://twitter.com/arieljt) 编写的 VirusTotal 的 `code-similar-to:` 功能的 Yara 规则生成器。
279 | * [Vxsig](https://github.com/google/vxsig) :sparkles:
280 |     - 通过相似样本集自动生成 AV 字节签名。
281 | * [yabin](https://github.com/AlienVault-OTX/yabin)
282 |     - 通过恶意软件的可执行代码创建 Yara 签名。
283 | * [yaml2yara](https://github.com/nccgroup/yaml2yara)
284 |     - 通过 YAML 批量生成 Yarar 规则。
285 | * [YARA-CI](https://yara-ci.cloud.virustotal.com/) :sparkles:
286 |     - YARA-CI 帮助在规则更改时进行自动化测试。
287 | * [yara-endpoint](https://github.com/Yara-Rules/yara-endpoint)
288 |     - 基于 Yara 的事件响应工具。
289 | * [Yara Finder](https://github.com/uppusaikiran/yara-finder)
290 |     - 基于 @tylerha97 的 yara_scan 开发的扫描框架，具有 Web API 与 Docker 化部署。
291 | * [YaraGenerator](https://github.com/Xen0ph0n/YaraGenerator)
292 |     - 快速、简单、有效的 Yara 规则生成工具。
293 | * [YaraGen](https://github.com/mrexodia/YaraGen) and [yara_fn](https://github.com/williballenthin/idawilli/tree/master/scripts/yara_fn)
294 |     - 为 x64dbg 与 IDAPython 编写的、基于函数块生成 Yara 规则的插件。
295 | * [YaraGuardian](https://github.com/PUNCH-Cyber/YaraGuardian)
296 |     - 基于 Django 开发、用于管理 Yara 规则的 Web 界面。
297 | * [yara-java](https://github.com/p8a/yara-java)
298 |     - Yara 的 Java 接口。
299 | * [yaraMail](https://github.com/kevthehermit/yaraMail)
300 |     - 用于 IMAP 订阅与保存流的 Yara 扫描工具。
301 | * [Yara Malware Quick menu scanner](https://github.com/techbliss/Yara_Mailware_Quick_menu_scanner)
302 |     - 将 Yara 扫描添加到 Windows 右键点击菜单中。
303 | * [YaraManager](https://github.com/kevthehermit/YaraManager)
304 |     - 通过 Web 管理 Yara 
305 | * [Yaramanager](https://github.com/3c7/yaramanager) ([PyPI](https://pypi.org/project/yaramanager/))
306 |     - 用于管理和组织 Yara 规则集的命令行工具。
307 | * [yaramod](https://github.com/avast/yaramod)
308 |     - 将 Yara 规则解析为 AST 的工具，并且提供了构建 Yara 规则的 C++ 接口。
309 | * [yarAnalyzer](https://github.com/Neo23x0/yarAnalyzer)
310 |     - Yara 规则覆盖度分析工具。
311 | * [yara-ocaml](https://github.com/XVilka/yara-ocaml)
312 |     - Yara 的 OCaml 接口。
313 | * [yara-parser](https://github.com/Northern-Lights/yara-parser)
314 |     - 使用 Go 编写的解析规则工具。
315 | * [yaraPCAP](https://github.com/kevthehermit/YaraPcap)
316 |     - 用于 IMAP 订阅与保存流的 Yara 扫描工具。
317 | * [yara-procdump-python](https://github.com/google/yara-procdump-python)
318 |     - Yara 进程内存访问 API 的 Python 接口。
319 | * [yara-rust](https://github.com/Hugal31/yara-rust)
320 |     - Yara 的 Rust 接口。
321 | * [yara-signator](https://github.com/fxb-cocacoding/yara-signator) :sparkles:
322 |     - 用于 Malpedia 的自动 Yara 规则生成工具。
323 | * [YARA-sort](https://github.com/horsicq/YARA-sort)
324 |     - 根据 Yara 规则扫描文件，详情请查看[博客文章](https://n10info.blogspot.com/2019/10/nfd-sort.html)。
325 | * [Yara Python ICAP Server](https://github.com/RamadhanAmizudin/python-icap-yara)
326 |     - 提供 Yara 扫描的 ICAP 服务器。
327 | * [yarasafe](https://github.com/lucamassarelli/yarasafe)
328 |     - 使用机器学习进行自动化地函数签名生成。
329 | * [Yara-Scanner](https://github.com/PolitoInc/Yara-Scanner)
330 |     - Python 开发的、Burp Suite 的 Yara 扩展。
331 | * [yarascanner](https://github.com/jheise/yarascanner)
332 |     - Golang 开发的、Yara 扫描文件的 Web 服务。
333 | * [yara_scanner](https://github.com/tsale/yara_scanner)
334 |     - 通过 PsExec 和原生操作系统命令扫描远程节点的脚本。
335 | * [YaraSharp](https://github.com/stellarbear/YaraSharp)
336 |     - Yara 库的 C# 接口。
337 | * [yara_tools](https://github.com/matonis/yara_tools)
338 |     - 使用 Python 进行 Yara 规则配置的接口。
339 | * [Yara-Validator](https://github.com/CIRCL/yara-validator)
340 |     - 验证 Yara 规则并尝试修复损坏的规则。
341 | * [yaraVT](https://github.com/deadbits/yaraVT)
342 |     - 使用 Yara 规则扫描文件，将规则匹配结果作为评论发送到 VirusTotal。
343 | * [yara_zip_module](https://github.com/stoerchl/yara_zip_module)
344 |     - 扫描在 zip 压缩文件内的字符串。
345 | * [yarg](https://github.com/immortalp0ny/yarg)
346 |     - 基于 x86/x86-64 代码生成 Yara 规则的 IDAPython 插件。
347 | * [yarGen](https://github.com/Neo23x0/yarGen)
348 |     - 用于发现相关样本进行狩猎的 Yara 规则生成工具。
349 | * [Yara Scanner](https://github.com/ace-ecosystem/yara_scanner)
350 |     - 为 yara-python 项目提供接口，包含多种功能。
351 | * [Yarasilly2](https://github.com/YARA-Silly-Silly/yarasilly2)
352 |     - 受 VirusTotal Premium Account 的 DIFF 功能启发，为分析人员依据样本生成 Yara 规则提供便利的半自动工具。
353 | * [yaya](https://github.com/EFForg/yaya)
354 |     - 自动管理开源 Yara 规则并运行扫描。
355 | * [YaYaGen](https://github.com/jimmy-sonny/YaYaGen)
356 |     - Android 恶意软件的 Yara 规则生成工具。
357 | * [Yeti](https://github.com/yeti-platform/yeti)
358 |     - 该平台旨在一个库内组织 IOC 指标、TTP 与威胁相关的知识。
359 | * [yextend](https://github.com/BayshoreNetworks/yextend)
360 |     - 使 Yara 可以检测压缩文件的扩展。
361 | * [yaraZeekAlert](https://github.com/SCILabsMX/yaraZeekAlert) :sparkles:
362 |     - 使用 Yara 规则扫描文件，出发告警的可发送电子邮件提醒，如果恶意文件小于 10MB 则将其作为附件发送。
363 | * [yaraScanParser](https://github.com/Sh3llyR/yaraScanParser)
364 |     - 用于解析 [Yara 扫描服务](https://riskmitigation.ch/yara-scan/) JSON 结果的工具。
365 | * [Yobi](https://github.com/imp0rtp3/Yobi) :sparkles:
366 |     - 支持在浏览器页面和脚本上运行 Yara 规则的 Firefox 扩展插件。
367 | * [statiStrings](https://github.com/Sh3llyR/statiStrings)
368 |     - YARA 规则的字符串统计计算器。
369 | 
370 | ## 服务
371 | 
372 | * [Hybrid Analysis YARA Search](https://www.hybrid-analysis.com/yara-search)
373 |     - 由 CrowdStrike/Hybrid Analysis 提供的 Yara 检索/狩猎。
374 | * [InQuest Labs](https://labs.inquest.net) :sparkles: :gem:
375 |     - 其中 Yara 规则的部分提供将正则表达式转换为匹配 base64 编码的字符串、将字符串转换为 uint() 可查的序列等示例。
376 | * [Koodous](https://koodous.com/)
377 |     - APK 分析平台，带有社区 Yara 规则库和大型 APK 样本数据集。
378 | * [MalShare](https://malshare.com/)
379 |     - 免费样本库，允许安全研究人员访问恶意样本和 Yara 结果。
380 | * [MalwareConfig](https://malwareconfig.com/)
381 |     - 从 RAT 木马中提取 IOC 指标。
382 | * [YaraEditor (Web)](https://www.adlice.com/download/yaraeditorweb/)
383 |     - 用于创建和管理 Yara 规则的多合一网站。
384 | * [Yara Share](https://yara.adlice.com/)
385 |     - 提供用户上传、共享 Yara 规则的在线社区。
386 | * [Yara Scan Service](https://riskmitigation.ch/yara-scan/)
387 |     - 一个针对大量恶意文件和已识别文件测试 Yara 规则的简单服务。
388 | 
389 | ## 语法高亮
390 | 
391 | * Atom: [language-yara](https://github.com/blacktop/language-yara)
392 | * Emacs: [yara-mode](https://github.com/binjo/yara-mode)
393 | * 基于 GTK 的编辑器，如 gedit 与 xed: [GtkSourceView-YARA](https://github.com/wesinator/GtkSourceView-YARA)
394 | * Notepad++: [userDefinedLanguages](https://github.com/notepad-plus-plus/userDefinedLanguages/blob/master/udl-list.md)
395 | * Sublime Text: [YaraSyntax](https://github.com/nyx0/YaraSyntax/)
396 | * Vim: [vim-yara](https://github.com/yaunj/vim-yara), [vim-syntax-yara](https://github.com/s3rvac/vim-syntax-yara)
397 | * Visual Studio Code: [vscode-yara](https://github.com/infosec-intern/vscode-yara)
398 | 
399 | ## 人员
400 | 
401 | 将本页提到的有关人员的 Twitter 汇总到一个列表（[awesome-yara Twitter list](https://twitter.com/InQuest/lists/awesome-yara)）中，如果未列出可以向我们确认。
402 | 
403 | ## 相关列表
404 | 
405 | * [Crawler](https://github.com/BruceDone/awesome-crawler)
406 | * [CVE PoC](https://github.com/qazbnm456/awesome-cve-poc)
407 | * [Forensics](https://github.com/Cugu/awesome-forensics)
408 | * [Hacking](https://github.com/carpedm20/awesome-hacking)
409 | * [HackwithGithub](https://github.com/Hack-with-Github/Awesome-Hacking)
410 | * [Honeypots](https://github.com/paralax/awesome-honeypots)
411 | * [Incident-Response](https://github.com/meirwah/awesome-incident-response)
412 | * [Infosec](https://github.com/onlurking/awesome-infosec)
413 | * [IOCs](https://github.com/sroberts/awesome-iocs)
414 | * [Malware Analysis](https://github.com/rshipp/awesome-malware-analysis)
415 | * [ML for Cyber Security](https://github.com/jivoi/awesome-ml-for-cybersecurity)
416 | * [OSINT](https://github.com/jivoi/awesome-osint)
417 | * [PCAP Tools](https://github.com/caesar0301/awesome-pcaptools)
418 | * [Pentesting](https://github.com/enaqx/awesome-pentest)
419 | * [Reversing](https://github.com/tylerha97/awesome-reversing)
420 | * [Security](https://github.com/sbilly/awesome-security)
421 | * [Static Analysis](https://github.com/analysis-tools-dev/static-analysis)
422 | * [Threat Detection](https://github.com/0x4D31/awesome-threat-detection)
423 | * [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence)
424 | 
425 | ## 贡献
426 | 
427 | 该列表由 [InQuest](https://inquest.net/) 维护，可以随时补充提交缺少的内容。
428 | 
429 | 提交请查看文档 [CONTRIBUTING.md](CONTRIBUTING.md)。
430 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | <p align="center">
  2 |   <img height="128" src="./awesome-yara.png"  alt="Awesome YARA" title="Awesome YARA">
  3 | </p>
  4 | 
  5 | <h1 align="center">Awesome YARA</h1>
  6 | 
  7 | A curated list of awesome YARA rules, tools, and resources. Inspired by [awesome-python](https://github.com/vinta/awesome-python) and [awesome-php](https://github.com/ziadoz/awesome-php).
  8 | 
  9 | > YARA is an ancronym for: YARA: Another Recursive Ancronym, or Yet Another Ridiculous Acronym. Pick your choice.
 10 | >
 11 | > -- *[Victor M. Alvarez (@plusvic)](https://twitter.com/plusvic/status/778983467627479040)*
 12 | 
 13 | [YARA](https://virustotal.github.io/yara/), the "pattern matching swiss knife for malware researchers (and everyone else)" is developed by [@plusvic](https://github.com/plusvic/) and [@VirusTotal](https://github.com/VirusTotal). View it on [GitHub](https://github.com/virustotal/yara).
 14 | 
 15 | ### Contents
 16 | 
 17 | * [Rules](#rules)
 18 | * [Tools](#tools)
 19 | * [Services](#services)
 20 | * [Syntax Highlighters](#syntax-highlighters)
 21 | * [People](#people)
 22 | * [Related Awesome Lists](#related-awesome-lists)
 23 | * [Contributing](#contributing)
 24 | * [Just for Fun](http://yaramate.com)
 25 | 
 26 | ### Legend
 27 | 
 28 | * :eyes: - Actively maintained, a repository worth watching.
 29 | * :gem: - Novel, interesting, educational, or otherwise stand-out content.
 30 | * :sparkles: - Added more recently, shiny new toys.
 31 | * :trophy: - The biggest collection award, awarded to a single repo.
 32 | 
 33 | ## Rules
 34 | 
 35 | * [AlienVault Labs Rules](https://github.com/AlienVault-Labs/AlienVaultLabs/tree/master/malware_analysis)
 36 |     - Collection of tools, signatures, and rules from the researchers at [AlienVault Labs](https://cybersecurity.att.com/blogs/labs-research). Search the repo for .yar and .yara extensions to find about two dozen rules ranging from APT detection to generic sandbox / VM detection. Last updated in January of 2016.
 37 | * [Apple OSX](https://gist.github.com/pedramamini/c586a151a978f971b70412ca4485c491)
 38 |     - Apple has ~40 YARA signatures for detecting malware on OSX. The file, XProtect.yara, is available locally at /System/Library/CoreServices/XProtect.bundle/Contents/Resources/.
 39 | * [bamfdetect rules](https://github.com/bwall/bamfdetect/tree/master/BAMF_Detect/modules/yara)
 40 |     - Custom rules from Brian Wallace used for bamfdetect, along with some rules from other sources.
 41 | * [bartblaze YARA rules](https://github.com/bartblaze/Yara-rules) :eyes:
 42 |     - Collection of personal YARA rules
 43 | * [BinaryAlert YARA Rules](https://github.com/airbnb/binaryalert/tree/master/rules/public)
 44 |     - A couple dozen rules written and released by AirBnB as part of their BinaryAlert tool (see next section). Detection for hack tools, malware, and ransomware across Linux, Window, and OS X. This is a new and active project.
 45 | * [Burp YARA Rules](https://github.com/codewatchorg/Burp-Yara-Rules)
 46 |     - Collection of YARA rules intended to be used with the Burp Proxy through the Yara-Scanner extension. These rules focus mostly on non-exe malware typically delivered over HTTP including HTML, Java, Flash, Office, PDF, etc. Last updated in June of 2016.
 47 | * [BinSequencer](https://github.com/karttoon/binsequencer)
 48 |     - Find a common pattern of bytes within a set of samples and generate a YARA rule from the identified pattern.
 49 | * [CAPE Rules](https://github.com/kevoreilly/CAPEv2/tree/master/data/yara) :eyes:
 50 |     - Rules from various authors bundled with the Config And Payload Extraction Cuckoo Sandbox extension (see next section).
 51 | * [CDI Rules](https://github.com/CyberDefenses/CDI_yara)
 52 |     - Collection of YARA rules released by [CyberDefenses](https://cyberdefenses.com/blog/) for public use. Built from information in intelligence profiles, dossiers and file work.
 53 | * [Citizen Lab Malware Signatures](https://github.com/citizenlab/malware-signatures)
 54 |     - YARA signatures developed by Citizen Lab. Dozens of signatures covering a variety of malware families. The also inclde a syntax file for Vim. Last update was in November of 2016.
 55 | * [ConventionEngine Rules](https://github.com/stvemillertime/ConventionEngine) :sparkles:
 56 |     - A collection of Yara rules looking for PEs with PDB paths that have unique, unusual, or overtly malicious-looking keywords, terms, or other features.
 57 | * [Deadbits Rules](https://github.com/deadbits/yara-rules) :eyes:
 58 |     - A collection of YARA rules made public by [Adam Swanda](https://www.deadbits.org/), Splunk's Principal Threat Intel. Analyst, from his own recent malware research.
 59 | * [Didier Stevens Rules](https://github.com/DidierStevens/DidierStevensSuite) :gem:
 60 |     - Collection of rules from Didier Stevens, author of a suite of tools for inspecting OLE/RTF/PDF. Didier's rules are worth scrutinizing and are generally written purposed towards hunting. New rules are frequently announced through the [NVISO Labs Blog](https://blog.nviso.eu/).
 61 | * [ESET IOCs](https://github.com/eset/malware-ioc/) :eyes:
 62 |     - Collection of YARA and Snort rules from IOCs collected by ESET researchers. There's about a dozen YARA Rules to glean from in this repo, search for file extension .yar. This repository is seemingly updated on a roughly monthly interval. New IOCs are often mentioned on the [ESET WeLiveSecurity Blog](https://www.welivesecurity.com/).
 63 | * [Fidelis Rules](https://github.com/fideliscyber/indicators/tree/master/yararules)
 64 |     - You can find a half dozen YARA rules in Fidelis Cyber's IOC repository. They update this repository on a roughly quarterly interval. Complete blog content is also available in this repository.
 65 | * [FireEye](https://github.com/fireeye/red_team_tool_countermeasures)
 66 |     - FireEye Red Team countermeasures detection 
 67 | * [Florian Roth Rules](https://github.com/Neo23x0/signature-base/tree/master/yara) :eyes: :gem:
 68 |     - Florian Roth's signature base is a frequently updated collection of IOCs and YARA rules that cover a wide range of threats. There are dozens of rules which are actively maintained. Watch the repository to see rules evolve over time to address false potives / negatives.
 69 | * [Florian Roth's IDDQD Rule](https://gist.github.com/Neo23x0/f1bb645a4f715cb499150c5a14d82b44)
 70 |     - A proof-of-concept rule that shows how easy it actually is to detect red teamer and threat group tools and code. 
 71 | * [f0wl yara_rules](https://github.com/f0wl/yara_rules)
 72 |     - A collection of Yara rules from https://dissectingmalwa.re/ blog posts.
 73 | * [Franke Boldewin Rules](https://github.com/fboldewin/YARA-rules)
 74 |     - A collection of YARA Rules from [@r3c0nst](https://twitter.com/@r3c0nst).
 75 | * [FSF Rules](https://github.com/EmersonElectricCo/fsf/tree/master/fsf-server/yara)
 76 |     - Mostly filetype detection rules, from the EmersonElectricCo FSF project (see next section).
 77 | * [GoDaddy ProcFilter Rules](https://github.com/godaddy/yara-rules)
 78 |     - A couple dozen rules written and released by GoDaddy for use with ProcFilter (see next section). Example rules include detection for packers, mimikatz, and specific malware.
 79 | * [h3x2b Rules](https://github.com/h3x2b/yara-rules) :gem:
 80 |     - Collection of signatures from h3x2b which stand out in that they are generic and can be used to assist in reverse engineering. There are YARA rules for identifying crypto routines, highly entropic sections (certificate discovery for example), discovering injection / hooking functionality, and more.
 81 | * [Icewater Rules](https://github.com/SupportIntelligence/Icewater)
 82 |     - Repository of automatically generated YARA rules from Icewater.io. This repository is updated rapidly with newly generated signatures that mostly match on file size range and partial content hashes.
 83 | * [imp0rtp3's Rules](https://github.com/imp0rtp3/yara-rules)
 84 |     - A small repository which contains some browser based rules.
 85 | * [Intezer Rules](https://github.com/intezer/yara-rules) :sparkles:
 86 |     - YARA rules published by Intezer Labs.
 87 | * [InQuest Rules](https://github.com/InQuest/yara-rules) :eyes:
 88 |     - YARA rules published by InQuest researchers mostly geared towards threat hunting on Virus Total. Rules are updated as new samples are collected and novel pivots are discovered. The [InQuest Blog](http://blog.inquest.net) will often discuss new findings.
 89 | * [jeFF0Falltrades Rules](https://github.com/jeFF0Falltrades/YARA-Signatures) :sparkles:
 90 |     - A collection of YARA signatures for various malware families.
 91 | * [kevthehermit Rules](https://github.com/kevthehermit/YaraRules)
 92 |     - Dozens of rules from the personal collection of Kevin Breen. This repository hasn't been updated since February of 2016.
 93 | * [Koodous Community Rules](https://koodous.com/rulesets)
 94 |     - Community-contributed rules for Android APK malware.
 95 | * [Loginsoft Rules](https://research.loginsoft.com/yara-rules/)
 96 |     - Yara Rules for Detecting Malicious Documents targeting Microsoft Office format.
 97 | * [lw-yara](https://github.com/Hestat/lw-yara)
 98 |     - Ruleset for scanning Linux servers for shells, spamming, phishing and other webserver baddies.
 99 | * [NCC Group Rules](https://github.com/nccgroup/Cyber-Defence/tree/master/Signatures/yara) :eyes:
100 |     - A handful of YARA rules released by NCC Group's Cyber Defence team.
101 | * [Malice.IO YARA Plugin Rules](https://github.com/malice-plugins/yara/tree/master/rules) :eyes:
102 |     - Collection of topical from a variety of sources for the YARA component of the Malice.IO framework.
103 | * [Malpedia Auto Generated Rules](https://malpedia.caad.fkie.fraunhofer.de/api/get/yara/auto/zip) :sparkles:
104 |     - A zip file that contains all automatically generated, code-based rules created using Malpedia's YARA-Signator
105 | * [Malpedia Auto Generated Rules Repo](https://github.com/malpedia/signator-rules) :sparkles:
106 |     - Repository to simplify access to and synchronization of Malpedia's automatically generated, code-based YARA rules.
107 | * [McAfee Advanced Threat Research IOCs](https://github.com/advanced-threat-research/IOCs)
108 |     - IOCs, including YARA rules, to accompany McAfee ATR's blog and other public posts.
109 | * [McAfee Advanced Threat Research Yara-Rules](https://github.com/advanced-threat-research/Yara-Rules)
110 |     - Repository of YARA rules made by McAfee ATR Teams.
111 | * [mikesxrs YARA Rules Collection](https://github.com/mikesxrs/Open-Source-YARA-rules) :eyes: :trophy:
112 |     - Large collection of open source rules aggregated from a variety of sources, including blogs and other more ephemeral sources. Over 100 categories, 1500 files, 4000 rules, and 20Mb. If you're going to pull down a single repo to play with, this is the one.
113 | * [Patrick Olsen Rules](https://github.com/prolsen/yara-rules) :gem:
114 |     - Small collection of rules with a wide footprint for variety in detection. RATs, documents, PCAPs, executables, in-memory, point-of-sale malware, and more. Unfortunately this repository hasn't seen an update since late 2014.
115 | * [QuickSand Lite Rules](https://github.com/tylabs/quicksand_lite)
116 |     - This repo contains a C framework and standalone tool for malware analysis, along with several useful YARA rules developed for use with the project.
117 | * [Rastrea2r](https://github.com/rastrea2r/rastrea2r)
118 |     - Triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes.
119 | * [ReversingLabs YARA Rules](https://github.com/reversinglabs/reversinglabs-yara-rules) :sparkles: :eyes:
120 |     - A collection of yara rules published by ReversingLabs which covers exploits, infostealers, ransomeware, trojans, and viruses. 
121 | * [Securitymagic's YARA Rules](https://github.com/securitymagic/yara)
122 |     - YARA rules for a variety of threats.
123 | * [Sophos AI YaraML Rules](https://github.com/inv-ds-research/yaraml_rules)
124 |     - A repository of Yara rules created automatically as translations of machine learning models. Each directory will have a rule and accompanying metadata: hashes of files used in training, and an accuracy diagram (a ROC curve).
125 | * [SpiderLabs Rules](https://github.com/SpiderLabs/malware-analysis/tree/master/Yara)
126 |     - Repository of tools and scripts related to malware analysis from the researchers at SpiderLabs. There's only three YARA rules here and the last update was back in 2015, but worth exploring.
127 | * [StrangeRealIntel's Daily IOCs](https://github.com/StrangerealIntel/DailyIOC) :gem: :sparkles: :eyes:
128 |     - Regularly updated YARA rules covering a variety of fresh threats.
129 | * [t4d's PhishingKit-Yara-Rules](https://github.com/t4d/PhishingKit-Yara-Rules)
130 |     - This repository, dedicated to Phishing Kits zip files YARA rules, is based on zip raw format analysis to find directories and files names, you don't need yara-extend there.
131 | * [Telekom Security Malare Analysis Repository](https://github.com/telekom-security/malware_analysis)
132 |     - This repository comprises scripts, signatures, and additional IOCs of our blog posts at the telekom.com blog.
133 | * [Tenable Rules](https://github.com/tenable/yara-rules)
134 |     - Small collection from Tenable Network Security.
135 | * [TjadaNel Rules](https://github.com/tjnel/yara_repo)
136 |     - Small collection of malware rules.
137 | * [VectraThreatLab Rules](https://github.com/VectraThreatLab/reyara)
138 |     - YARA rules for identifying anti-RE malware techniques.
139 | * [Volexity - Threat-Intel](https://github.com/volexity/threat-intel) :sparkles: :gem:
140 |     - This repository contains IoCs related to Volexity public threat intelligence blog posts.
141 | * [x64dbg Signatures](https://github.com/x64dbg/yarasigs) :gem:
142 |     - Collection of interesting packer, compiler, and crypto identification signatures.
143 | * [YAIDS](https://github.com/wrayjustin/yaids) :gem: :sparkles:
144 |     - YAIDS is a Multi-Threaded Intrusion Detection System using Yara. YAIDS supports all valid Yara rules (including modules) and any PCAP compatible data stream (Network, USB, Bluetooth, etc.).
145 | * [YARA-FORENSICS](https://github.com/Xumeiquer/yara-forensics)
146 |     - Collection of file type identfiying rules.
147 | * [yara4pentesters](https://github.com/DiabloHorn/yara4pentesters)
148 |     - Rules to identify files containing juicy information like usernames, passwords etc.
149 | * [YaraRules Project Official Repo](https://github.com/Yara-Rules/rules) :eyes:
150 |     - Large collection of rules constantly updated by the community.
151 | * [Yara-Unprotect](https://github.com/fr0gger/Yara-Unprotect)
152 |     - Rules created for the Unprotect Project for detecting malware evasion techniques.
153 | 
154 | ## Tools
155 | 
156 | * [AirBnB BinaryAlert](https://github.com/airbnb/binaryalert)
157 |     - Open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules.
158 | * [androguard](https://github.com/Koodous/androguard-yara)
159 |     - YARA module that integrates APK analysis.
160 | * [Arya- The Reverse YARA](https://github.com/claroty/arya)
161 |     - Arya is a unique tool that produces pseudo-malicious files meant to trigger YARA rules. You can think of it like a reverse YARA because it does exactly the opposite - it creates files that matches your rules.
162 | * [Audit Node Modules With YARA Rules](https://github.com/rpgeeganage/audit-node-modules-with-yara)
163 |     - Run a given set of YARA rules against the given node_module folder
164 | * [AutoYara](https://github.com/NeuromorphicComputationResearchProgram/AutoYara)
165 |     - Automated Yara Rule generation using Biclustering
166 | * [bamfdetect](https://github.com/bwall/bamfdetect)
167 |     - Identifies and extracts information from bots and other malware.
168 | * [base64_substring](https://github.com/DissectMalware/base64_substring)
169 |     - Generate YARA rules to match terms against base64-encoded data.
170 | * [CAPE: Config And Payload Extraction](https://github.com/kevoreilly/CAPEv2) :eyes:
171 |     - Extension of Cuckoo specifically designed to extract payloads and configuration from malware. CAPE can detect a number of malware techniques or behaviours, as well as specific malware families, from its initial run on a sample. This detection then triggers a second run with a specific package, in order to extract the malware payload and possibly its configuration, for further analysis.
172 | * [CCCS-Yara](https://github.com/CybercentreCanada/CCCS-Yara)
173 |     - YARA rule metadata specification and validation utility.
174 | * [clara](https://github.com/abhinavbom/clara) :sparkles:
175 |     - Serverless, real-time, ClamAV+Yara scanning for your S3 Buckets.
176 | * [Cloudina Security Hawk](https://github.com/cloudina/hawk) :sparkles:
177 |     - Multi Cloud antivirus scanning API based on CLAMAV and YARA for AWS S3, AZURE Blob Storage, GCP Cloud Storage.
178 | * [CrowdStrike Feed Management System](https://github.com/CrowdStrike/CrowdFMS)
179 |     - Framework for automating collection and processing of samples from VirusTotal, and executing commands based on YARA rule matches.
180 | * [CSE-CST AssemblyLine](https://bitbucket.org/cse-assemblyline/alsvc_yara)
181 |     - The Canadian Communications Security Establishment (CSE) open sourced [AssemblyLine](https://cyber.gc.ca/en/assemblyline), a platform for analyzing malicious files. The component linked here provides an interface to YARA.
182 | * [dnYara](https://github.com/airbus-cert/dnYara)
183 |     - A multi-platform .NET wrapper library for the native YARA library.
184 | * [ELAT](https://github.com/reed1713/ELAT)
185 |     - Event Log Analysis Tool that creates/uses YARA rules for Windows event log analysis.
186 | * [Emerson File Scanning Framework (FSF)](https://github.com/EmersonElectricCo/fsf)
187 |     - Modular, recursive file scanning solution.
188 | * [ExchangeFilter](https://github.com/k-sec-tools/ExchangeFilter)
189 |     - MS Exchange transport agent uses YARA to detect malware in email messages.
190 | * [factual-rules-generator](https://github.com/CIRCL/factual-rules-generator)
191 |     - Factual-rules-generator is an open source project which aims to generate YARA rules about installed software from a running operating system.
192 | * [Fastfinder](https://github.com/codeyourweb/fastfinder)
193 |     - Fast customisable cross-platform suspicious file finder. Designed for incident response. Supports md5/sha1/sha256 hashs, litteral/wildcard strings, regular expressions and YARA rules. Can easily be packed to be deployed on any windows / linux host. 
194 | * [findcrypt-yara](https://github.com/polymorf/findcrypt-yara) and [FindYara](https://github.com/OALabs/FindYara)
195 |     - IDA pro plugins to scan your binary with YARA rules to find crypto constants (and more).
196 | * [Fnord](https://github.com/Neo23x0/Fnord)
197 |     - Pattern extractor for obfuscated code.
198 | * [generic-parser](https://github.com/uppusaikiran/generic-parser)
199 |     - Parser with YARA support, to extract meta information, perform static analysis and detect macros within files.
200 | * [GoDaddy ProcFilter](https://github.com/godaddy/procfilter) :gem:
201 |     - ProcFilter is a process filtering system for Windows with built-in YARA integration. YARA rules can be instrumented with custom meta tags that tailor its response to rule matches. It runs as a Windows service and is integrated with Microsoft's ETW API, making results viewable in the Windows Event Log. Installation, activation, and removal can be done dynamically and does not require a reboot.
202 | * [go-yara](https://github.com/hillu/go-yara)
203 |     - Go bindings for YARA.
204 | * [halogen](https://github.com/target/halogen)
205 |     - Halogen is a tool to automate the creation of yara rules against image files embedded within a malicious document.
206 | * [Hyara](https://github.com/hyuunnn/Hyara)
207 |     - IDA Pro, Cutter, and BinaryNinja plugin that provides easy creation of YARA rules for ASCII & hex strings between a given start and end address.
208 | * [IDA_scripts](https://github.com/swackhamer/IDA_scripts)
209 |     - IDA Python scripts for generating YARA sigs from executable opcodes (.NET included).
210 | * [ida_yara](https://github.com/alexander-hanel/ida_yara)
211 |     - Scan data within an IDB using YARA.
212 | * [ida-yara-processor](https://github.com/bnbdr/ida-yara-processor)
213 |     - IDA processor for compiled YARA rules.
214 | * [InQuest ThreatKB](https://github.com/InQuest/ThreatKB)
215 |     - Knowledge base workflow management for YARA rules and C2 artifacts (IP, DNS, SSL).
216 | * [iocextract](https://github.com/InQuest/python-iocextract)
217 |     - Advanced Indicator of Compromise (IOC) extractor, with YARA rule extraction.
218 | * [Invoke-Yara](https://github.com/secabstraction/Yara)
219 |     - Powershell scripts to run YARA on remote machines.
220 | * [java2yara](https://github.com/fxb-cocacoding/java2yara)
221 |     - A minimal library to generate YARA rules from JAVA
222 | * [KLara](https://github.com/KasperskyLab/klara)
223 |     - Distributed system written in Python, allows researchers to scan one or more YARA rules over collections with samples.
224 | * [Laika BOSS](https://github.com/lmco/laikaboss)
225 |     - Object scanner and intrusion detection system that strives to achieve the following goals: Scalable, Flexible, Verbose.
226 |     - [Whitepaper](https://github.com/lmco/laikaboss/blob/master/LaikaBOSS_Whitepaper.pdf)
227 | * [libyara.NET](https://github.com/microsoft/libyara.NET)
228 |     - .NET wrapper for libyara built in C++ CLI used to easily incorporate yara into .NET projects
229 | * [MalConfScan](https://github.com/JPCERTCC/MalConfScan)
230 |     - MalConfScan is a Volatility plugin extracts configuration data of known malware. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.
231 | * [malscan](https://github.com/usualsuspect/malscan)
232 |     - Scan process memory for YARA matches and execute Python scripts if a match is found.
233 | * [MISP Threat Sharing](https://github.com/MISP/MISP)
234 |     - Threat intelligence platform including indicators, threat intelligence, malware samples and binaries. Includes support for sharing, generating, and validating YARA signatures.
235 | * [MITRE MultiScanner](https://github.com/mitre/multiscanner)
236 |     - File analysis framework that assists the user in evaluating a set of files by automatically running a suite of tools for the user and aggregating the output.
237 | * [mkYARA](https://github.com/fox-it/mkYARA)
238 |     - Generate YARA rules based on binary code.
239 | * [mquery](https://github.com/CERT-Polska/mquery)
240 |     - Web frontend for running blazingly fast YARA queries on large datasets.
241 | * Nextron Systems OSS and Commercial Tools (Florian Roth: @Neo23x0)
242 |     - [Loki](https://github.com/Neo23x0/Loki) IOC and YARA rule scanner implemented in Python. Open source and free.
243 |     - [THOR Lite](https://www.nextron-systems.com/thor-lite/) IOC and YARA rule scanner implemented in Go. Closed source, free, but registration required.
244 | * [node-yara](https://github.com/nospaceships/node-yara)
245 |     - YARA support for Node.js.
246 | * [ocaml-yara](https://github.com/elastic/ocaml-yara)
247 |     - OCaml bindings to libyara
248 | * [OCYara](https://github.com/bandrel/OCyara)
249 |     - Performs OCR on image files and scans them for matches to YARA rules.
250 | * [PasteHunter](https://github.com/kevthehermit/PasteHunter)
251 |     - Scan pastebin.com with YARA rules.
252 | * [plast](https://github.com/sk4la/plast)
253 |     - Threat hunting tool for detecting and processing IOCs using YARA under the hood.
254 | * [plyara](https://github.com/plyara/plyara)
255 |     - Parse YARA rules with Python.
256 | * [Polichombr](https://github.com/ANSSI-FR/polichombr)
257 |     - Collaborative malware analysis framework with YARA rule matching and other features.
258 | * [PwC Cyber Threat Operations rtfsig](https://github.com/PwCUK-CTO/rtfsig)
259 |     - This tool is designed to make it easy to signature potentially unique parts of RTF files.
260 | * [VirusTotalTools](https://github.com/silascutler/VirusTotalTools)
261 |     - Tools for checking samples against Virus Total, including VT_RuleMGR, for managing threat hunting YARA rules.
262 | * [QuickSand.io](http://quicksand.io/)
263 |     - Compact C framework to analyze suspected malware documents. Also includes a web interface and online analysis.
264 | * [shotgunyara](https://github.com/darienhuss/shotgunyara)
265 |     - Given a string, create 255 xor encoded versions of that string as a YARA rule.
266 | * [spyre](https://github.com/spyre-project/spyre)
267 |     - Simple, self-contained YARA-based file IOC scanner.
268 | * [static_file_analysis](https://github.com/lprat/static_file_analysis)
269 |     - Analyze deeply embedded files (doc, pdf, exe, ...) with clamscan and YARA.
270 | * [stoQ](https://github.com/PUNCH-Cyber/stoq)
271 |     - Modular and highly customizable framework for the creation of data sets from multiple disparate data sources.
272 | * [Strelka](https://github.com/target/strelka)
273 |     - Detection-Oriented File Analysis System built on Python3, ZeroMQ, and YARA, primarily used for threat detection/hunting and intelligence gathering.
274 | * [Sysmon EDR](https://github.com/ion-storm/sysmon-edr) :sparkles:
275 |     - YARA scanning, process killing, network blocking, and more.
276 | * [SwishDbgExt](https://github.com/comaeio/SwishDbgExt)
277 |     - Microsoft WinDbg extension which includes the ability to use YARA rules to hunt processes in memory.
278 | * [ThreatIngestor](https://github.com/InQuest/ThreatIngestor/)
279 |     - Automatically extract and aggregate IOCs including YARA rules from many sources.
280 | * [UXProtect](https://digitasecurity.com/uxprotect/)
281 |     - The missing UI to Apple's built-in XProtect YARA signatures. Enumerate signatures, scan files, and more.
282 | * [VTCodeSimilarity-YaraGen](https://github.com/arieljt/VTCodeSimilarity-YaraGen) :gem: :sparkles:
283 |     - Yara rule generator using VirusTotal code similarity feature `code-similar-to:` written by [@arieljt](https://twitter.com/arieljt).
284 | * [Vxsig](https://github.com/google/vxsig) :sparkles:
285 |     - Automatically generate AV byte signatures from sets of similar binaries.
286 | * [yabin](https://github.com/AlienVault-OTX/yabin)
287 |     - Creates YARA signatures from executable code within malware.
288 | * [yaml2yara](https://github.com/nccgroup/yaml2yara)
289 |     - Generate bulk YARA rules from YAML input.
290 | * [YARA-CI](https://yara-ci.cloud.virustotal.com/) :sparkles:
291 |     - YARA-CI helps you to keep your YARA rules in good shape. It can be integrated into any GitHub repository containing YARA rules and it will run automated tests every time you make some change.
292 | * [yara-endpoint](https://github.com/Yara-Rules/yara-endpoint)
293 |     -  Tool useful for incident response as well as anti-malware enpoint based on YARA signatures.
294 | * [YaraFileCheckerLib](https://github.com/k-sec-tools/YaraFileCheckerLib)
295 |     - .Net Library designed to make it easier to check potentially malicious files and archives using YARA and make a decision about their harmfulness based on the weights of the detected rules.
296 | * [Yara Finder](https://github.com/uppusaikiran/yara-finder)
297 |     - Web API and docker image for scanning files against YARA rules, built on @tylerha97's yara_scan.
298 | * [YaraGenerator](https://github.com/Xen0ph0n/YaraGenerator)
299 |     - Quick, simple, and effective yara rule creation to isolate malware families and other malicious objects of interest.
300 | * [YaraGen](https://github.com/mrexodia/YaraGen) and [yara_fn](https://github.com/williballenthin/idawilli/tree/master/scripts/yara_fn)
301 |     - Plugins for x64dbg and IDAPython, respectively, that generate YARA rules from function blocks.
302 | * [YaraGuardian](https://github.com/PUNCH-Cyber/YaraGuardian)
303 |     - Django web interface for managing YARA rules.
304 | * [yara-java](https://github.com/p8a/yara-java)
305 |     - Java bindings for YARA.
306 | * [yaraMail](https://github.com/kevthehermit/yaraMail)
307 |     - YARA scanner for IMAP feeds and saved streams.
308 | * [Yara Malware Quick menu scanner](https://github.com/techbliss/Yara_Mailware_Quick_menu_scanner)
309 |     - Adds the awsome YARA pattern scanner to Windows right click menus.
310 | * [YaraManager](https://github.com/kevthehermit/YaraManager)
311 |     - Web based manager for YARA rules.
312 | * [Yaramanager](https://github.com/3c7/yaramanager) ([PyPI](https://pypi.org/project/yaramanager/))
313 |     - Command line tool to manage and organize your Yara ruleset.
314 | * [yaramod](https://github.com/avast/yaramod)
315 |     - A library that provides parsing of YARA rules into AST and a C++ programming interface to build new YARA rulesets.
316 | * [yarAnalyzer](https://github.com/Neo23x0/yarAnalyzer)
317 |     - YARA rule set coverage analyzer.
318 | * [yara-ocaml](https://github.com/XVilka/yara-ocaml)
319 |     - OCaml bindings for YARA
320 | * [yara-parser](https://github.com/Northern-Lights/yara-parser)
321 |     - Tools for parsing rulesets using the exact grammar as YARA. Written in Go.
322 | * [yaraPCAP](https://github.com/kevthehermit/YaraPcap)
323 |     - YARA scanner For IMAP feeds and saved streams.
324 | * [yara-procdump-python](https://github.com/google/yara-procdump-python)
325 |     - Python extension to wrap the YARA process memory access API.
326 | * [yara-rust](https://github.com/Hugal31/yara-rust)
327 |     - Rust bindings for VirusTotal/Yara
328 | * [yara-signator](https://github.com/fxb-cocacoding/yara-signator) :sparkles:
329 |     - Automatic YARA rule generation for Malpedia
330 | * [YARA-sort](https://github.com/horsicq/YARA-sort)
331 |     - Aggregate files into collections basd on YARA rules. [blog](https://n10info.blogspot.com/2019/10/nfd-sort.html)
332 | * [Yara Python ICAP Server](https://github.com/RamadhanAmizudin/python-icap-yara)
333 |     - ICAP server with YARA scanner.
334 | * [yarasafe](https://github.com/lucamassarelli/yarasafe)
335 |     - Automatic generation of function signature using machine learning.
336 | * [Yara-Scanner](https://github.com/PolitoInc/Yara-Scanner)
337 |     - Python-based extension that integrates a YARA scanner into Burp Suite.
338 | * [yarascanner](https://github.com/jheise/yarascanner)
339 |     - Golang-based web service to scan files with YARA rules.
340 | * [yara_scanner](https://github.com/tsale/yara_scanner)
341 |     - This script allows you to scan multiple remote nodes using PsExec and native OS commands.
342 | * [YaraSharp](https://github.com/stellarbear/YaraSharp)
343 |     - C# wrapper around the Yara pattern matching library
344 | * [yara_tools](https://github.com/matonis/yara_tools)
345 |     - Python bindings to author YARA rules using natural Python conventions.
346 | * [Yara-Validator](https://github.com/CIRCL/yara-validator)
347 |     - Validates YARA rules and tries to repair the broken ones.
348 | * [yaraVT](https://github.com/deadbits/yaraVT)
349 |     - Scan files with Yara and send rule matches to VirusTotal reports as comments.
350 | * [yara_zip_module](https://github.com/stoerchl/yara_zip_module)
351 |     - Search for strings inside a zip file.
352 | * [yarg](https://github.com/immortalp0ny/yarg)
353 |     - IDAPython plugin for gerenating YARA rules from x86/x86-64 code.
354 | * [yarGen](https://github.com/Neo23x0/yarGen)
355 |     - YARA rule generator for finding related samples and hunting.
356 | * [Yara Scan](http://zeroq.ydns.eu/)
357 |     - Place to upload files and scan with internal rules.
358 | * [Yara Scanner](https://github.com/ace-ecosystem/yara_scanner)
359 |     - A wrapper around the yara-python project the providing multiple capabilities.
360 | * [Yarasilly2](https://github.com/YARA-Silly-Silly/yarasilly2)
361 |     - A Semi automatic handy tool to generate YARA rules from sample virus files ( WIP ) for Malware Analyst, inspired by DIFF function of VirusTotal Premium Account.     
362 | * [yaya](https://github.com/EFForg/yaya)
363 |     - Automatically curate open source yara rules and run scans.
364 | * [YaYaGen](https://github.com/jimmy-sonny/YaYaGen)
365 |     - YARA rule generator for Android malware.
366 | * [Yeti](https://github.com/yeti-platform/yeti)
367 |     - Platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
368 | * [yextend](https://github.com/BayshoreNetworks/yextend)
369 |     - YARA integrated software to handle archive file data.
370 | * [yaraZeekAlert](https://github.com/SCILabsMX/yaraZeekAlert) :sparkles:
371 |     - Scans files with YARA rules and send email alerts which include network context of the file transfer and attaches the suspicious file if it is less than 10 MB.
372 | * [yaraScanParser](https://github.com/Sh3llyR/yaraScanParser)
373 |     - Parsing tool for [Yara Scan Service](https://riskmitigation.ch/yara-scan/)'s JSON output file.
374 | * [YMCA](https://github.com/m0n4/YARA-Matches-Correspondance-Array)
375 |     - Displays a table of matches between YARA rules and a collection of samples.
376 | * [Yobi](https://github.com/imp0rtp3/Yobi) :sparkles:
377 |     - Yobi is a basic firefox extension which allows to run public or private YARA rules on all scripts and pages rendered by the browser.
378 | * [statiStrings](https://github.com/Sh3llyR/statiStrings)
379 |     - Strings statistics calculator for YARA rules.
380 | 
381 | ## Services
382 | 
383 | * [Hybrid Analysis YARA Search](https://www.hybrid-analysis.com/yara-search)
384 |     - YARA search / hunting from CrowdStrike / Hybrid Analysis, powered by Falcon MalQuery.
385 | * [InQuest Labs](https://labs.inquest.net) :sparkles: :gem:
386 |     -  See the YARA section for helper routines to convert regular expressions to match on base64 encoded strings, conver strings to sequences of uint() lookups, and more.
387 | * [Koodous](https://koodous.com/)
388 |     - Collaborative platform for APK analysis, with community YARA rule repository and large APK sample dataset.
389 | * [MalShare](https://malshare.com/)
390 |     - Free malware repository providing researchers access to samples, malicous feeds, and YARA results.
391 | * [MalwareConfig](https://malwareconfig.com/)
392 |     - Extract IOCs from Remote Access Trojans.
393 | * [YaraEditor (Web)](https://www.adlice.com/download/yaraeditorweb/)
394 |     - All-in-one website to create and manage YARA rules.
395 | * [Yara Share](https://yara.adlice.com/)
396 |     - Free repository and online community for users to upload and share Yara rules.
397 | * [Yara Scan Service](https://riskmitigation.ch/yara-scan/)
398 |     - A simple service to test your Yara rules against a large set of malicious and identified files.
399 | 
400 | ## Syntax Highlighters
401 | 
402 | * Atom: [language-yara](https://github.com/blacktop/language-yara)
403 | * Emacs: [yara-mode](https://github.com/binjo/yara-mode)
404 | * GTK-based editors, like gedit and xed: [GtkSourceView-YARA](https://github.com/wesinator/GtkSourceView-YARA)
405 | * Notepad++: [userDefinedLanguages](https://github.com/notepad-plus-plus/userDefinedLanguages/blob/master/udl-list.md)
406 | * Sublime Text: [YaraSyntax](https://github.com/nyx0/YaraSyntax/)
407 | * Vim: [vim-yara](https://github.com/yaunj/vim-yara), [vim-syntax-yara](https://github.com/s3rvac/vim-syntax-yara)
408 | * Visual Studio Code: [vscode-yara](https://github.com/infosec-intern/vscode-yara)
409 | 
410 | ## People
411 | 
412 | We're aggregating the Twitter handles for anyone involved with the projects on this page into a single list: [awesome-yara Twitter list](https://twitter.com/InQuest/lists/awesome-yara). Do let us know if anyone is missing.
413 | 
414 | ## Related Awesome Lists
415 | 
416 | * [Crawler](https://github.com/BruceDone/awesome-crawler)
417 | * [CVE PoC](https://github.com/qazbnm456/awesome-cve-poc)
418 | * [Forensics](https://github.com/Cugu/awesome-forensics)
419 | * [Hacking](https://github.com/carpedm20/awesome-hacking)
420 | * [HackwithGithub](https://github.com/Hack-with-Github/Awesome-Hacking)
421 | * [Honeypots](https://github.com/paralax/awesome-honeypots)
422 | * [Incident-Response](https://github.com/meirwah/awesome-incident-response)
423 | * [Infosec](https://github.com/onlurking/awesome-infosec)
424 | * [IOCs](https://github.com/sroberts/awesome-iocs)
425 | * [Malware Analysis](https://github.com/rshipp/awesome-malware-analysis)
426 | * [ML for Cyber Security](https://github.com/jivoi/awesome-ml-for-cybersecurity)
427 | * [OSINT](https://github.com/jivoi/awesome-osint)
428 | * [PCAP Tools](https://github.com/caesar0301/awesome-pcaptools)
429 | * [Pentesting](https://github.com/enaqx/awesome-pentest)
430 | * [Reversing](https://github.com/tylerha97/awesome-reversing)
431 | * [Security](https://github.com/sbilly/awesome-security)
432 | * [Static Analysis](https://github.com/analysis-tools-dev/static-analysis)
433 | * [Threat Detection](https://github.com/0x4D31/awesome-threat-detection)
434 | * [Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence)
435 | 
436 | ## Contributing
437 | 
438 | This list is maintained by [InQuest](https://inquest.net/). Feel free to let us
439 | know about anything we're missing!
440 | 
441 | See [CONTRIBUTING.md](CONTRIBUTING.md).
442 | 


--------------------------------------------------------------------------------