diff --git a/yara/apt_agent_btz.yar b/yara/apt_agent_btz.yar index 81b1409..e5639b6 100644 --- a/yara/apt_agent_btz.yar +++ b/yara/apt_agent_btz.yar @@ -13,6 +13,7 @@ import "pe" rule Agent_BTZ_Proxy_DLL_1 { meta: description = "Detects Agent-BTZ Proxy DLL - activeds.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/" date = "2017-08-07" diff --git a/yara/apt_apt10.yar b/yara/apt_apt10.yar index 10751dd..8f3c5ac 100644 --- a/yara/apt_apt10.yar +++ b/yara/apt_apt10.yar @@ -8,6 +8,7 @@ rule APT10_Malware_Sample_Gen { meta: description = "APT 10 / Cloud Hopper malware campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-06" diff --git a/yara/apt_apt10_redleaves.yar b/yara/apt_apt10_redleaves.yar index 62d2cd2..92937fe 100644 --- a/yara/apt_apt10_redleaves.yar +++ b/yara/apt_apt10_redleaves.yar @@ -13,6 +13,7 @@ import "pe" rule MAL_Hogfish_Report_Related_Sample { meta: description = "Detects APT10 / Hogfish related samples" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" date = "2018-05-01" diff --git a/yara/apt_apt12_malware.yar b/yara/apt_apt12_malware.yar index 587a682..987ee27 100644 --- a/yara/apt_apt12_malware.yar +++ b/yara/apt_apt12_malware.yar @@ -13,6 +13,7 @@ import "pe" rule APT12_Malware_Aug17 { meta: description = "Detects APT 12 Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.macnica.net/blog/2017/08/post-fb81.html" date = "2017-08-30" diff --git a/yara/apt_apt15.yar b/yara/apt_apt15.yar index dac3931..fa4974e 100644 --- a/yara/apt_apt15.yar +++ b/yara/apt_apt15.yar @@ -13,6 +13,7 @@ import "pe" rule APT15_Malware_Mar18_RoyalCli { meta: description = "Detects malware from APT 15 report by NCC Group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/HZ5XMN" date = "2018-03-10" @@ -32,6 +33,7 @@ rule APT15_Malware_Mar18_RoyalCli { rule APT15_Malware_Mar18_RoyalDNS { meta: description = "Detects malware from APT 15 report by NCC Group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/HZ5XMN" date = "2018-03-10" @@ -57,6 +59,7 @@ rule APT15_Malware_Mar18_RoyalDNS { rule APT15_Malware_Mar18_BS2005 { meta: description = "Detects malware from APT 15 report by NCC Group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/HZ5XMN" date = "2018-03-10" @@ -83,6 +86,7 @@ rule APT15_Malware_Mar18_BS2005 { rule APT15_Malware_Mar18_MSExchangeTool { meta: description = "Detects malware from APT 15 report by NCC Group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/HZ5XMN" date = "2018-03-10" diff --git a/yara/apt_apt17_mal_sep17.yar b/yara/apt_apt17_mal_sep17.yar index 4282630..3eaf82d 100644 --- a/yara/apt_apt17_mal_sep17.yar +++ b/yara/apt_apt17_mal_sep17.yar @@ -13,6 +13,7 @@ import "pe" rule APT17_Malware_Oct17_1 { meta: description = "Detects APT17 malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/puVc9q" date = "2017-10-03" @@ -29,6 +30,7 @@ rule APT17_Malware_Oct17_1 { rule APT17_Malware_Oct17_2 { meta: description = "Detects APT17 malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/puVc9q" date = "2017-10-03" @@ -57,6 +59,7 @@ rule APT17_Malware_Oct17_2 { rule APT17_Unsigned_Symantec_Binary_EFA { meta: description = "Detects APT17 malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/puVc9q" date = "2017-10-03" @@ -71,6 +74,7 @@ rule APT17_Unsigned_Symantec_Binary_EFA { rule APT17_Malware_Oct17_Gen { meta: description = "Detects APT17 malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/puVc9q" date = "2017-10-03" diff --git a/yara/apt_apt17_malware.yar b/yara/apt_apt17_malware.yar index b499d09..940d504 100644 --- a/yara/apt_apt17_malware.yar +++ b/yara/apt_apt17_malware.yar @@ -10,6 +10,7 @@ rule APT17_Sample_FXSST_DLL { meta: description = "Detects Samples related to APT17 activity - file FXSST.DLL" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/ZiJyQv" date = "2015-05-14" @@ -17,7 +18,7 @@ rule APT17_Sample_FXSST_DLL { strings: $x1 = "Microsoft? Windows? Operating System" fullword wide $x2 = "fxsst.dll" fullword ascii - + $y1 = "DllRegisterServer" fullword ascii $y2 = ".cSV" fullword ascii diff --git a/yara/apt_apt19.yar b/yara/apt_apt19.yar index a115196..f5ef9b0 100644 --- a/yara/apt_apt19.yar +++ b/yara/apt_apt19.yar @@ -10,6 +10,7 @@ rule Beacon_K5om { meta: description = "Detects Meterpreter Beacon - file K5om.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html" date = "2017-06-07" diff --git a/yara/apt_apt28.yar b/yara/apt_apt28.yar index f03ff1c..14836e4 100644 --- a/yara/apt_apt28.yar +++ b/yara/apt_apt28.yar @@ -10,6 +10,7 @@ rule APT28_CHOPSTICK { meta: description = "Detects a malware that behaves like CHOPSTICK mentioned in APT28 report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/v3ebal" date = "2015-06-02" @@ -91,4 +92,3 @@ rule APT28_SourFace_Malware3 { condition: uint16(0) == 0x5a4d and filesize < 550KB and all of them } - diff --git a/yara/apt_apt29_grizzly_steppe.yar b/yara/apt_apt29_grizzly_steppe.yar index d9c9aa3..0a6301f 100644 --- a/yara/apt_apt29_grizzly_steppe.yar +++ b/yara/apt_apt29_grizzly_steppe.yar @@ -10,6 +10,7 @@ rule GRIZZLY_STEPPE_Malware_1 { meta: description = "Auto-generated rule - file HRDG022184_certclint.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/WVflzO" date = "2016-12-29" @@ -28,6 +29,7 @@ rule GRIZZLY_STEPPE_Malware_1 { rule GRIZZLY_STEPPE_Malware_2 { meta: description = "Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/WVflzO" date = "2016-12-29" @@ -71,6 +73,7 @@ rule WebShell_PHP_Web_Kit_v3 { meta: description = "Detects PAS Tool PHP Web Kit" reference = "https://github.com/wordfence/grizzly" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2016/01/01" strings: @@ -90,6 +93,7 @@ rule WebShell_PHP_Web_Kit_v4 { meta: description = "Detects PAS Tool PHP Web Kit" reference = "https://github.com/wordfence/grizzly" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2016/01/01" strings: diff --git a/yara/apt_apt30_backspace.yar b/yara/apt_apt30_backspace.yar index 2b198f5..90db282 100644 --- a/yara/apt_apt30_backspace.yar +++ b/yara/apt_apt30_backspace.yar @@ -10,6 +10,7 @@ rule APT30_Generic_H { meta: description = "FireEye APT30 Report Sample - file db3e5c2f2ce07c2d3fa38d6fc1ceb854" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -26,6 +27,7 @@ rule APT30_Generic_H { rule APT30_Sample_2 { meta: description = "FireEye APT30 Report Sample - file c4dec6d69d8035d481e4f2c86f580e81" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -43,6 +45,7 @@ rule APT30_Sample_2 { rule APT30_Sample_3 { meta: description = "FireEye APT30 Report Sample - file 59e055cee87d8faf6f701293e5830b5a" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -60,6 +63,7 @@ rule APT30_Sample_3 { rule APT30_Generic_C { meta: description = "FireEye APT30 Report Sample - file 0c4fcef3b583d0ffffc2b14b9297d3a4" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -82,6 +86,7 @@ rule APT30_Generic_C { rule APT30_Sample_4 { meta: description = "FireEye APT30 Report Sample - file 6ba315275561d99b1eb8fc614ff0b2b3" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -100,6 +105,7 @@ rule APT30_Sample_4 { rule APT30_Sample_5 { meta: description = "FireEye APT30 Report Sample - file ebf42e8b532e2f3b19046b028b5dfb23" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -117,6 +123,7 @@ rule APT30_Sample_5 { rule APT30_Sample_6 { meta: description = "FireEye APT30 Report Sample - file ee1b23c97f809151805792f8778ead74" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -131,6 +138,7 @@ rule APT30_Sample_6 { rule APT30_Sample_7 { meta: description = "FireEye APT30 Report Sample - file 74b87086887e0c67ffb035069b195ac7" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -149,6 +157,7 @@ rule APT30_Sample_7 { rule APT30_Generic_E { meta: description = "FireEye APT30 Report Sample - file 8ff473bedbcc77df2c49a91167b1abeb" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -167,6 +176,7 @@ rule APT30_Generic_E { rule APT30_Sample_8 { meta: description = "FireEye APT30 Report Sample - file 44b98f22155f420af4528d17bb4a5ec8" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -183,6 +193,7 @@ rule APT30_Sample_8 { rule APT30_Generic_B { meta: description = "FireEye APT30 Report Sample - file 29395c528693b69233c1c12bef8a64b3" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -202,6 +213,7 @@ rule APT30_Generic_B { rule APT30_Generic_I { meta: description = "FireEye APT30 Report Sample - file fe211c7a081c1dac46e3935f7c614549" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -218,6 +230,7 @@ rule APT30_Generic_I { rule APT30_Sample_9 { meta: description = "FireEye APT30 Report Sample - file e3ae3cbc024e39121c87d73e87bb2210" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -238,6 +251,7 @@ rule APT30_Sample_9 { rule APT30_Sample_10 { meta: description = "FireEye APT30 Report Sample - file 8c713117af4ca6bbd69292a78069e75b" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -257,6 +271,7 @@ rule APT30_Sample_10 { rule APT30_Sample_11 { meta: description = "FireEye APT30 Report Sample - file d97aace631d6f089595f5ce177f54a39" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -284,6 +299,7 @@ rule APT30_Sample_11 { rule APT30_Sample_12 { meta: description = "FireEye APT30 Report Sample - file c95cd106c1fecbd500f4b97566d8dc96" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -299,6 +315,7 @@ rule APT30_Sample_12 { rule APT30_Sample_13 { meta: description = "FireEye APT30 Report Sample - file 95bb314fe8fdbe4df31a6d23b0d378bc" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -317,6 +334,7 @@ rule APT30_Sample_13 { rule APT30_Sample_14 { meta: description = "FireEye APT30 Report Sample - file 6f931c15789d234881be8ae8ccfe33f4" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -334,6 +352,7 @@ rule APT30_Sample_14 { rule APT30_Sample_15 { meta: description = "FireEye APT30 Report Sample - file e26a2afaaddfb09d9ede505c6f1cc4e3" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -352,6 +371,7 @@ rule APT30_Sample_15 { rule APT30_Sample_16 { meta: description = "FireEye APT30 Report Sample - file 37e568bed4ae057e548439dc811b4d3a" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -370,6 +390,7 @@ rule APT30_Sample_16 { rule APT30_Generic_A { meta: description = "FireEye APT30 Report Sample - file af1c1c5d8031c4942630b6a10270d8f4" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -390,6 +411,7 @@ rule APT30_Generic_A { rule APT30_Sample_17 { meta: description = "FireEye APT30 Report Sample - file 23813c5bf6a7af322b40bd2fd94bd42e" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -403,6 +425,7 @@ rule APT30_Sample_17 { rule APT30_Sample_18 { meta: description = "FireEye APT30 Report Sample - file b2138a57f723326eda5a26d2dec56851" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -423,6 +446,7 @@ rule APT30_Sample_18 { rule APT30_Generic_G { meta: description = "FireEye APT30 Report Sample - file 53f1358cbc298da96ec56e9a08851b4b" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -444,6 +468,7 @@ rule APT30_Generic_G { rule APT30_Sample_19 { meta: description = "FireEye APT30 Report Sample - file 5d4f2871fd1818527ebd65b0ff930a77" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -469,6 +494,7 @@ rule APT30_Sample_19 { rule APT30_Generic_E_v2 { meta: description = "FireEye APT30 Report Sample - file 71f25831681c19ea17b2f2a84a41bbfb" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -485,6 +511,7 @@ rule APT30_Generic_E_v2 { rule APT30_Sample_20 { meta: description = "FireEye APT30 Report Sample - file 5ae51243647b7d03a5cb20dccbc0d561" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -505,6 +532,7 @@ rule APT30_Sample_20 { rule APT30_Sample_21 { meta: description = "FireEye APT30 Report Sample - file 78c4fcee5b7fdbabf3b9941225d95166" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -521,6 +549,7 @@ rule APT30_Sample_21 { rule APT30_Sample_22 { meta: description = "FireEye APT30 Report Sample - file fad06d7b4450c4631302264486611ec3" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -539,6 +568,7 @@ rule APT30_Sample_22 { rule APT30_Generic_F { meta: description = "FireEye APT30 Report Sample - file 4c10a1efed25b828e4785d9526507fbc" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -557,6 +587,7 @@ rule APT30_Generic_F { rule APT30_Sample_23 { meta: description = "FireEye APT30 Report Sample - file a5ca2c5b4d8c0c1bc93570ed13dcab1a" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -577,6 +608,7 @@ rule APT30_Sample_23 { rule APT30_Sample_24 { meta: description = "FireEye APT30 Report Sample - file 062fe1336459a851bd0ea271bb2afe35" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -596,6 +628,7 @@ rule APT30_Sample_24 { rule APT30_Sample_25 { meta: description = "FireEye APT30 Report Sample - file c4c068200ad8033a0f0cf28507b51842" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -615,6 +648,7 @@ rule APT30_Sample_25 { rule APT30_Sample_26 { meta: description = "FireEye APT30 Report Sample - file 428fc53c84e921ac518e54a5d055f54a" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -634,6 +668,7 @@ rule APT30_Sample_26 { rule APT30_Generic_D { meta: description = "FireEye APT30 Report Sample - file 597805832d45d522c4882f21db800ecf" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -657,6 +692,7 @@ rule APT30_Generic_D { rule APT30_Sample_27 { meta: description = "FireEye APT30 Report Sample - file d38e02eac7e3b299b46ff2607dd0f288" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -676,6 +712,7 @@ rule APT30_Sample_27 { rule APT30_Sample_28 { meta: description = "FireEye APT30 Report Sample - file e62a63307deead5c9fcca6b9a2d51fb0" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -704,6 +741,7 @@ rule APT30_Sample_28 { rule APT30_Sample_29 { meta: description = "FireEye APT30 Report Sample - file 1b81b80ff0edf57da2440456d516cc90" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -724,6 +762,7 @@ rule APT30_Sample_29 { rule APT30_Sample_30 { meta: description = "FireEye APT30 Report Sample - file bf8616bbed6d804a3dea09b230c2ab0c" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -741,6 +780,7 @@ rule APT30_Sample_30 { rule APT30_Sample_31 { meta: description = "FireEye APT30 Report Sample - file d8e68db503f4155ed1aeba95d1f5e3e4" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -758,6 +798,7 @@ rule APT30_Sample_31 { rule APT30_Generic_J { meta: description = "FireEye APT30 Report Sample - file baff5262ae01a9217b10fcd5dad9d1d5" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -789,6 +830,7 @@ rule APT30_Generic_J { rule APT30_Microfost { meta: description = "FireEye APT30 Report Sample - file 310a4a62ba3765cbf8e8bbb9f324c503" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -803,6 +845,7 @@ rule APT30_Microfost { rule APT30_Generic_K { meta: description = "FireEye APT30 Report Sample - file b5a343d11e1f7340de99118ce9fc1bbb" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -832,6 +875,7 @@ rule APT30_Generic_K { rule APT30_Sample_33 { meta: description = "FireEye APT30 Report Sample - file 5eaf3deaaf2efac92c73ada82a651afe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -852,6 +896,7 @@ rule APT30_Sample_33 { rule APT30_Sample_34 { meta: description = "FireEye APT30 Report Sample - file a9e8e402a7ee459e4896d0ba83543684" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -871,6 +916,7 @@ rule APT30_Sample_34 { rule APT30_Sample_35 { meta: description = "FireEye APT30 Report Sample - file 414854a9b40f7757ed7bfc6a1b01250f" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -886,6 +932,7 @@ rule APT30_Sample_35 { rule APT30_Sample_1 { meta: description = "FireEye APT30 Report Sample - file 4c6b21e98ca03e0ef0910e07cef45dac" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -903,6 +950,7 @@ rule APT30_Sample_1 { rule APT30_Generic_1 { meta: description = "FireEye APT30 Report Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -935,6 +983,7 @@ rule APT30_Generic_1 { rule APT30_Generic_2 { meta: description = "FireEye APT30 Report Sample - from many files" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -990,6 +1039,7 @@ rule APT30_Generic_2 { rule APT30_Generic_3 { meta: description = "FireEye APT30 Report Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -1008,6 +1058,7 @@ rule APT30_Generic_3 { rule APT30_Generic_4 { meta: description = "FireEye APT30 Report Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -1038,6 +1089,7 @@ rule APT30_Generic_4 { rule APT30_Generic_5 { meta: description = "FireEye APT30 Report Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -1059,6 +1111,7 @@ rule APT30_Generic_5 { rule APT30_Generic_6 { meta: description = "FireEye APT30 Report Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -1080,6 +1133,7 @@ rule APT30_Generic_6 { rule APT30_Generic_7 { meta: description = "FireEye APT30 Report Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -1097,6 +1151,7 @@ rule APT30_Generic_7 { rule APT30_Generic_8 { meta: description = "FireEye APT30 Report Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" @@ -1122,6 +1177,7 @@ rule APT30_Generic_8 { rule APT30_Generic_9 { meta: description = "FireEye APT30 Report Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" date = "2015/04/13" diff --git a/yara/apt_apt34.yar b/yara/apt_apt34.yar index 3f49837..a1bae3a 100644 --- a/yara/apt_apt34.yar +++ b/yara/apt_apt34.yar @@ -12,6 +12,7 @@ rule APT34_Malware_HTA { meta: description = "Detects APT 34 malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" date = "2017-12-07" @@ -32,6 +33,7 @@ rule APT34_Malware_HTA { rule APT34_Malware_Exeruner { meta: description = "Detects APT 34 malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" date = "2017-12-07" diff --git a/yara/apt_apt6_malware.yar b/yara/apt_apt6_malware.yar index 8494804..3598562 100644 --- a/yara/apt_apt6_malware.yar +++ b/yara/apt_apt6_malware.yar @@ -8,6 +8,7 @@ rule APT6_Malware_Sample_Gen { meta: description = "Rule written for 2 malware samples that communicated to APT6 C2 servers" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/" date = "2016-04-09" diff --git a/yara/apt_ar18_165a.yar b/yara/apt_ar18_165a.yar index b5fcdbe..ea02cd3 100644 --- a/yara/apt_ar18_165a.yar +++ b/yara/apt_ar18_165a.yar @@ -59,6 +59,7 @@ rule APT_NK_AR18_165A_HiddenCobra_import_deob { rule APT_NK_AR18_165A_1 { meta: description = "Detects APT malware from AR18-165A report by US CERT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" date = "2018-06-15" diff --git a/yara/apt_backdoor_ssh_python.yar b/yara/apt_backdoor_ssh_python.yar index 0c22036..1c49210 100644 --- a/yara/apt_backdoor_ssh_python.yar +++ b/yara/apt_backdoor_ssh_python.yar @@ -2,6 +2,7 @@ rule custom_ssh_backdoor_server { meta: description = "Custome SSH backdoor based on python and paramiko - file server.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/S46L3o" date = "2015-05-14" diff --git a/yara/apt_beepservice.yar b/yara/apt_beepservice.yar index 5dbfd71..722f3b3 100644 --- a/yara/apt_beepservice.yar +++ b/yara/apt_beepservice.yar @@ -10,6 +10,7 @@ rule BeepService_Hacktool { meta: description = "Detects BeepService Hacktool used by Chinese APT groups" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/p32Ozf" date = "2016-05-12" diff --git a/yara/apt_bigbang.yar b/yara/apt_bigbang.yar index 591878b..897fd21 100644 --- a/yara/apt_bigbang.yar +++ b/yara/apt_bigbang.yar @@ -3,6 +3,7 @@ import "pe" rule APT_ME_BigBang_Gen_Jul18_1 { meta: description = "Detects malware from Big Bang campaign against Palestinian authorities" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" date = "2018-07-09" @@ -29,6 +30,7 @@ rule APT_ME_BigBang_Gen_Jul18_1 { rule APT_ME_BigBang_Mal_Jul18_1 { meta: description = "Detects malware from Big Bang report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" date = "2018-07-09" diff --git a/yara/apt_blackenergy.yar b/yara/apt_blackenergy.yar index 911ce9d..2c4473c 100644 --- a/yara/apt_blackenergy.yar +++ b/yara/apt_blackenergy.yar @@ -8,6 +8,7 @@ rule BlackEnergy_BE_2 { meta: description = "Detects BlackEnergy 2 Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/DThzLz" date = "2015/02/19" @@ -32,6 +33,7 @@ rule BlackEnergy_BE_2 { rule BlackEnergy_VBS_Agent { meta: description = "Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" date = "2016-01-03" @@ -47,6 +49,7 @@ rule BlackEnergy_VBS_Agent { rule DropBear_SSH_Server { meta: description = "Detects DropBear SSH Server (not a threat but used to maintain access)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" date = "2016-01-03" @@ -65,6 +68,7 @@ rule DropBear_SSH_Server { rule BlackEnergy_BackdoorPass_DropBear_SSH { meta: description = "Detects the password of the backdoored DropBear SSH Server - BlackEnergy" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" date = "2016-01-03" @@ -80,6 +84,7 @@ rule BlackEnergy_BackdoorPass_DropBear_SSH { rule BlackEnergy_KillDisk_1 { meta: description = "Detects KillDisk malware from BlackEnergy" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" date = "2016-01-03" @@ -107,6 +112,7 @@ rule BlackEnergy_KillDisk_1 { rule BlackEnergy_KillDisk_2 { meta: description = "Detects KillDisk malware from BlackEnergy" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" date = "2016-01-03" @@ -127,6 +133,7 @@ rule BlackEnergy_KillDisk_2 { rule BlackEnergy_Driver_USBMDM { meta: description = "Black Energy Driver" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" date = "2016-01-04" @@ -150,6 +157,7 @@ rule BlackEnergy_Driver_USBMDM { rule BlackEnergy_Driver_AMDIDE { meta: description = "Black Energy Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" date = "2016-01-04" diff --git a/yara/apt_bronze_butler.yar b/yara/apt_bronze_butler.yar index ab7dd75..7ff928e 100644 --- a/yara/apt_bronze_butler.yar +++ b/yara/apt_bronze_butler.yar @@ -13,6 +13,7 @@ import "pe" rule BronzeButler_Daserf_Delphi_1 { meta: description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" date = "2017-10-14" @@ -36,6 +37,7 @@ rule BronzeButler_Daserf_Delphi_1 { rule BronzeButler_Daserf_C_1 { meta: description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" date = "2017-10-14" @@ -76,6 +78,7 @@ rule BronzeButler_Daserf_C_1 { rule BronzeButler_DGet_1 { meta: description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" date = "2017-10-14" @@ -89,6 +92,7 @@ rule BronzeButler_DGet_1 { rule BronzeButler_UACBypass_1 { meta: description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" date = "2017-10-14" @@ -107,6 +111,7 @@ rule BronzeButler_UACBypass_1 { rule BronzeButler_xxmm_1 { meta: description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" date = "2017-10-14" @@ -132,6 +137,7 @@ rule BronzeButler_xxmm_1 { rule BronzeButler_RarStar_1 { meta: description = "Detects malware / hacktool sample from Bronze Butler incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" date = "2017-10-14" @@ -158,6 +164,7 @@ rule BronzeButler_RarStar_1 { rule Daserf_Nov1_BronzeButler { meta: description = "Detects Daserf malware used by Bronze Butler" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/ffeCfd" date = "2017-11-08" diff --git a/yara/apt_buckeye.yar b/yara/apt_buckeye.yar index 4df8a7c..13e3cc3 100644 --- a/yara/apt_buckeye.yar +++ b/yara/apt_buckeye.yar @@ -10,6 +10,7 @@ rule Buckeye_Osinfo { meta: description = "Detects OSinfo tool used by the Buckeye APT group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" date = "2016-09-05" @@ -28,6 +29,7 @@ rule Buckeye_Osinfo { rule RemoteCmd { meta: description = "Detects a remote access tool used by APT groups - file RemoteCmd.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/igxLyF" date = "2016-09-08" @@ -46,6 +48,7 @@ rule RemoteCmd { rule ChromePass { meta: description = "Detects a tool used by APT groups - file ChromePass.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/igxLyF" date = "2016-09-08" diff --git a/yara/apt_casper.yar b/yara/apt_casper.yar index a5955d9..68e5f7a 100644 --- a/yara/apt_casper.yar +++ b/yara/apt_casper.yar @@ -4,6 +4,7 @@ rule Casper_Backdoor_x86 { meta: description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/VRJNLo" date = "2015/03/05" @@ -35,6 +36,7 @@ rule Casper_Backdoor_x86 { rule Casper_EXE_Dropper { meta: description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/VRJNLo" date = "2015/03/05" @@ -56,6 +58,7 @@ rule Casper_EXE_Dropper { rule Casper_Included_Strings { meta: description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/VRJNLo" date = "2015/03/06" @@ -80,6 +83,7 @@ rule Casper_Included_Strings { rule Casper_SystemInformation_Output { meta: description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/VRJNLo" date = "2015/03/06" diff --git a/yara/apt_cheshirecat.yar b/yara/apt_cheshirecat.yar index cfbac0d..ec5832c 100644 --- a/yara/apt_cheshirecat.yar +++ b/yara/apt_cheshirecat.yar @@ -11,6 +11,7 @@ rule CheshireCat_Sample2 { meta: description = "Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/" date = "2015-08-08" @@ -33,6 +34,7 @@ rule CheshireCat_Sample2 { rule CheshireCat_Gen1 { meta: description = "Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/" date = "2015-08-08" @@ -72,6 +74,7 @@ rule CheshireCat_Gen1 { rule CheshireCat_Gen2 { meta: description = "Cheshire Cat Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/" date = "2015-08-08" diff --git a/yara/apt_cloudduke.yar b/yara/apt_cloudduke.yar index 96254bb..a4e9d36 100644 --- a/yara/apt_cloudduke.yar +++ b/yara/apt_cloudduke.yar @@ -10,6 +10,7 @@ rule CloudDuke_Malware { meta: description = "Detects CloudDuke Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.f-secure.com/weblog/archives/00002822.html" date = "2015-07-22" diff --git a/yara/apt_cmstar.yar b/yara/apt_cmstar.yar index 54f22c4..1cefcb9 100644 --- a/yara/apt_cmstar.yar +++ b/yara/apt_cmstar.yar @@ -13,6 +13,7 @@ import "pe" rule CMStar_Malware_Sep17 { meta: description = "Detects CMStar Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/pTffPA" date = "2017-10-03" diff --git a/yara/apt_cn_pp_zerot.yar b/yara/apt_cn_pp_zerot.yar index 2803c40..db44f44 100644 --- a/yara/apt_cn_pp_zerot.yar +++ b/yara/apt_cn_pp_zerot.yar @@ -11,6 +11,7 @@ rule PP_CN_APT_ZeroT_1 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" @@ -24,6 +25,7 @@ rule PP_CN_APT_ZeroT_1 { rule PP_CN_APT_ZeroT_2 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" @@ -37,6 +39,7 @@ rule PP_CN_APT_ZeroT_2 { rule PP_CN_APT_ZeroT_3 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" @@ -55,6 +58,7 @@ rule PP_CN_APT_ZeroT_3 { rule PP_CN_APT_ZeroT_4 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" @@ -69,6 +73,7 @@ rule PP_CN_APT_ZeroT_4 { rule PP_CN_APT_ZeroT_5 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" @@ -87,6 +92,7 @@ rule PP_CN_APT_ZeroT_5 { rule PP_CN_APT_ZeroT_6 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" @@ -100,6 +106,7 @@ rule PP_CN_APT_ZeroT_6 { rule PP_CN_APT_ZeroT_7 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" @@ -116,6 +123,7 @@ rule PP_CN_APT_ZeroT_7 { rule PP_CN_APT_ZeroT_8 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" @@ -132,6 +140,7 @@ rule PP_CN_APT_ZeroT_8 { rule PP_CN_APT_ZeroT_9 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" @@ -146,6 +155,7 @@ rule PP_CN_APT_ZeroT_9 { rule CN_APT_ZeroT_nflogger { meta: description = "Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-04" @@ -159,6 +169,7 @@ rule CN_APT_ZeroT_nflogger { rule CN_APT_ZeroT_extracted_Go { meta: description = "Chinese APT by Proofpoint ZeroT RAT - file Go.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-04" @@ -181,6 +192,7 @@ rule CN_APT_ZeroT_extracted_Go { rule CN_APT_ZeroT_extracted_Mcutil { meta: description = "Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-04" @@ -199,6 +211,7 @@ rule CN_APT_ZeroT_extracted_Mcutil { rule CN_APT_ZeroT_extracted_Zlh { meta: description = "Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-04" diff --git a/yara/apt_codoso.yar b/yara/apt_codoso.yar index ff315b4..3d94c8c 100644 --- a/yara/apt_codoso.yar +++ b/yara/apt_codoso.yar @@ -11,6 +11,7 @@ rule Codoso_PlugX_3 { meta: description = "Detects Codoso APT PlugX Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -26,6 +27,7 @@ rule Codoso_PlugX_3 { rule Codoso_PlugX_2 { meta: description = "Detects Codoso APT PlugX Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -42,6 +44,7 @@ rule Codoso_PlugX_2 { rule Codoso_CustomTCP_4 { meta: description = "Detects Codoso APT CustomTCP Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -66,6 +69,7 @@ rule Codoso_CustomTCP_4 { rule Codoso_CustomTCP_3 { meta: description = "Detects Codoso APT CustomTCP Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -86,6 +90,7 @@ rule Codoso_CustomTCP_3 { rule Codoso_CustomTCP_2 { meta: description = "Detects Codoso APT CustomTCP Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -105,6 +110,7 @@ rule Codoso_CustomTCP_2 { rule Codoso_PGV_PVID_6 { meta: description = "Detects Codoso APT PGV_PVID Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -118,6 +124,7 @@ rule Codoso_PGV_PVID_6 { rule Codoso_Gh0st_3 { meta: description = "Detects Codoso APT Gh0st Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -138,6 +145,7 @@ rule Codoso_Gh0st_3 { rule Codoso_Gh0st_2 { meta: description = "Detects Codoso APT Gh0st Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -155,6 +163,7 @@ rule Codoso_Gh0st_2 { rule Codoso_CustomTCP { meta: description = "Codoso CustomTCP Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -174,6 +183,7 @@ rule Codoso_CustomTCP { rule Codoso_PGV_PVID_5 { meta: description = "Detects Codoso APT PGV PVID Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -189,6 +199,7 @@ rule Codoso_PGV_PVID_5 { rule Codoso_Gh0st_1 { meta: description = "Detects Codoso APT Gh0st Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -226,6 +237,7 @@ rule Codoso_Gh0st_1 { rule Codoso_PGV_PVID_4 { meta: description = "Detects Codoso APT PlugX Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -252,6 +264,7 @@ rule Codoso_PGV_PVID_4 { rule Codoso_PlugX_1 { meta: description = "Detects Codoso APT PlugX Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -269,6 +282,7 @@ rule Codoso_PlugX_1 { rule Codoso_PGV_PVID_3 { meta: description = "Detects Codoso APT PGV PVID Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -287,6 +301,7 @@ rule Codoso_PGV_PVID_3 { rule Codoso_PGV_PVID_2 { meta: description = "Detects Codoso APT PGV PVID Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" @@ -308,6 +323,7 @@ rule Codoso_PGV_PVID_2 { rule Codoso_PGV_PVID_1 { meta: description = "Detects Codoso APT PGV PVID Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" diff --git a/yara/apt_coreimpact_agent.yar b/yara/apt_coreimpact_agent.yar index 7c3db12..2055125 100644 --- a/yara/apt_coreimpact_agent.yar +++ b/yara/apt_coreimpact_agent.yar @@ -6,6 +6,7 @@ rule CoreImpact_sysdll_exe { meta: description = "Detects a malware sysdll.exe from the Rocket Kitten APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 date = "27.12.2014" diff --git a/yara/apt_crash_override.yar b/yara/apt_crash_override.yar deleted file mode 100644 index 6a09a37..0000000 --- a/yara/apt_crash_override.yar +++ /dev/null @@ -1,60 +0,0 @@ -/* - Yara Rule Set - Author: Dragos Inc - Date: 2016-06-12 - Identifier: Crash Override -*/ - -import "pe" - -rule dragos_crashoverride_suspcious -{ - meta: - description = "CRASHOVERRIDE v1 Wiper" - author = "Dragos Inc" - reference = "https://t.co/h8QaIP4FU8" - strings: - $s0 = "SYS_BASCON.COM" fullword nocase wide - $s1 = ".pcmp" fullword nocase wide - $s2 = ".pcmi" fullword nocase wide - $s3 = ".pcmt" fullword nocase wide - $s4 = ".cin" fullword nocase wide - condition: - pe.exports("Crash") and any of ($s*) -} - -rule dragos_crashoverride_exporting_dlls { - meta: - description = "CRASHOVERRIDE v1 Suspicious Export" - author = "Dragos Inc" - reference = "https://t.co/h8QaIP4FU8" - condition: - pe.exports("Crash") & pe.characteristics -} - -rule dragos_crashoverride_name_search { - meta: - description = "CRASHOVERRIDE v1 Suspicious Strings and Export" - author = "Dragos Inc" - reference = "https://t.co/h8QaIP4FU8" - strings: - $s0 = "101.dll" fullword nocase wide - $s1 = "Crash101.dll" fullword nocase wide - $s2 = "104.dll" fullword nocase wide - $s3 = "Crash104.dll" fullword nocase wide - $s4 = "61850.dll" fullword nocase wide - $s5 = "Crash61850.dll" fullword nocase wide - $s6 = "OPCClientDemo.dll" fullword nocase wide - $s7 = "OPC" fullword nocase wide - $s8 = "CrashOPCClientDemo.dll" fullword nocase wide - $s9 = "D2MultiCommService.exe" fullword nocase wide - $s10 = "CrashD2MultiCommService.exe" fullword nocase wide $s11 = "61850.exe" fullword nocase wide - $s12 = "OPC.exe" fullword nocase wide - $s13 = "haslo.exe" fullword nocase wide - $s14 = "haslo.dat" fullword nocase wide - condition: - any of ($s*) and pe.exports("Crash") -} - - - \ No newline at end of file diff --git a/yara/apt_danti_svcmondr.yar b/yara/apt_danti_svcmondr.yar index b02be11..974d827 100644 --- a/yara/apt_danti_svcmondr.yar +++ b/yara/apt_danti_svcmondr.yar @@ -10,6 +10,7 @@ rule Mal_Dropper_httpEXE_from_CAB { meta: description = "Detects a dropper from a CAB file mentioned in the article" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/13Wgy1" date = "2016-05-25" @@ -25,6 +26,7 @@ rule Mal_Dropper_httpEXE_from_CAB { rule Mal_http_EXE { meta: description = "Detects trojan from APT report named http.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/13Wgy1" date = "2016-05-25" @@ -55,6 +57,7 @@ rule Mal_http_EXE { rule Mal_PotPlayer_DLL { meta: description = "Detects a malicious PotPlayer.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/13Wgy1" date = "2016-05-25" diff --git a/yara/apt_darkcaracal.yar b/yara/apt_darkcaracal.yar index cc06d13..5e0cf1b 100644 --- a/yara/apt_darkcaracal.yar +++ b/yara/apt_darkcaracal.yar @@ -12,6 +12,7 @@ rule MiniRAT_Gen_1 { meta: description = "Detects Mini RAT malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news" date = "2018-01-22" diff --git a/yara/apt_darkhydrus.yar b/yara/apt_darkhydrus.yar index b0d81d6..ee5fb4e 100644 --- a/yara/apt_darkhydrus.yar +++ b/yara/apt_darkhydrus.yar @@ -13,6 +13,7 @@ import "pe" rule APT_DarkHydrus_Jul18_1 { meta: description = "Detects strings found in malware samples in APT report in DarkHydrus" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" date = "2018-07-28" @@ -29,6 +30,7 @@ rule APT_DarkHydrus_Jul18_1 { rule APT_DarkHydrus_Jul18_2 { meta: description = "Detects strings found in malware samples in APT report in DarkHydrus" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" date = "2018-07-28" @@ -48,6 +50,7 @@ rule APT_DarkHydrus_Jul18_2 { rule APT_DarkHydrus_Jul18_3 { meta: description = "Detects strings found in malware samples in APT report in DarkHydrus" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" date = "2018-07-28" @@ -67,6 +70,7 @@ rule APT_DarkHydrus_Jul18_3 { rule APT_DarkHydrus_Jul18_4 { meta: description = "Detects strings found in malware samples in APT report in DarkHydrus" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" date = "2018-07-28" @@ -87,6 +91,7 @@ rule APT_DarkHydrus_Jul18_4 { rule APT_DarkHydrus_Jul18_5 { meta: description = "Detects strings found in malware samples in APT report in DarkHydrus" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" date = "2018-07-28" diff --git a/yara/apt_deeppanda.yar b/yara/apt_deeppanda.yar index 188ad2c..feff5d1 100644 --- a/yara/apt_deeppanda.yar +++ b/yara/apt_deeppanda.yar @@ -3,6 +3,7 @@ rule DeepPanda_sl_txt_packed { meta: description = "Hack Deep Panda - ScanLine sl-txt-packed" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015/02/08" hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34" @@ -22,6 +23,7 @@ rule DeepPanda_sl_txt_packed { rule DeepPanda_lot1 { meta: description = "Hack Deep Panda - lot1.tmp-pwdump" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015/02/08" hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1" @@ -47,6 +49,7 @@ rule DeepPanda_lot1 { rule DeepPanda_htran_exe { meta: description = "Hack Deep Panda - htran-exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015/02/08" hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9" @@ -66,6 +69,7 @@ rule DeepPanda_htran_exe { rule DeepPanda_Trojan_Kakfum { meta: description = "Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015/02/08" hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2" diff --git a/yara/apt_derusbi.yar b/yara/apt_derusbi.yar index e0fa954..1f5cf4a 100644 --- a/yara/apt_derusbi.yar +++ b/yara/apt_derusbi.yar @@ -47,6 +47,7 @@ rule derusbi_linux rule Derusbi_Kernel_Driver_WD_UDFS { meta: description = "Detects Derusbi Kernel Driver" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family" date = "2015-12-15" @@ -78,6 +79,7 @@ rule Derusbi_Kernel_Driver_WD_UDFS { rule Derusbi_Code_Signing_Cert { meta: description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family" date = "2015-12-15" @@ -93,6 +95,7 @@ rule Derusbi_Code_Signing_Cert { rule XOR_4byte_Key { meta: description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family" date = "2015-12-15" @@ -116,6 +119,7 @@ rule XOR_4byte_Key { rule Derusbi_Backdoor_Mar17_1 { meta: description = "Detects a variant of the Derusbi backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-03" diff --git a/yara/apt_dragonfly.yar b/yara/apt_dragonfly.yar index 4a682e9..e38b4ef 100644 --- a/yara/apt_dragonfly.yar +++ b/yara/apt_dragonfly.yar @@ -13,6 +13,7 @@ import "pe" rule Unspecified_Malware_Sep1_A1 { meta: description = "Detects malware from DrqgonFly APT report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" date = "2017-09-12" @@ -27,6 +28,7 @@ rule Unspecified_Malware_Sep1_A1 { rule DragonFly_APT_Sep17_1 { meta: description = "Detects malware from DrqgonFly APT report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" date = "2017-09-12" @@ -42,6 +44,7 @@ rule DragonFly_APT_Sep17_1 { rule DragonFly_APT_Sep17_2 { meta: description = "Detects malware from DrqgonFly APT report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" date = "2017-09-12" @@ -62,6 +65,7 @@ rule DragonFly_APT_Sep17_2 { rule DragonFly_APT_Sep17_3 { meta: description = "Detects malware from DrqgonFly APT report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" date = "2017-09-12" @@ -83,6 +87,7 @@ rule DragonFly_APT_Sep17_3 { rule DragonFly_APT_Sep17_4 { meta: description = "Detects malware from DrqgonFly APT report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" date = "2017-09-12" diff --git a/yara/apt_dubnium.yar b/yara/apt_dubnium.yar index 07e0f1a..5804ec7 100644 --- a/yara/apt_dubnium.yar +++ b/yara/apt_dubnium.yar @@ -10,6 +10,7 @@ rule Dubnium_Sample_1 { meta: description = "Detects sample mentioned in the Dubnium Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" @@ -24,6 +25,7 @@ rule Dubnium_Sample_1 { rule Dubnium_Sample_2 { meta: description = "Detects sample mentioned in the Dubnium Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" @@ -38,6 +40,7 @@ rule Dubnium_Sample_2 { rule Dubnium_Sample_3 { meta: description = "Detects sample mentioned in the Dubnium Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" @@ -58,6 +61,7 @@ rule Dubnium_Sample_3 { rule Dubnium_Sample_5 { meta: description = "Detects sample mentioned in the Dubnium Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" @@ -81,6 +85,7 @@ rule Dubnium_Sample_5 { rule Dubnium_Sample_6 { meta: description = "Detects sample mentioned in the Dubnium Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" @@ -99,6 +104,7 @@ rule Dubnium_Sample_6 { rule Dubnium_Sample_7 { meta: description = "Detects sample mentioned in the Dubnium Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" @@ -121,6 +127,7 @@ rule Dubnium_Sample_7 { rule Dubnium_Sample_SSHOpenSSL { meta: description = "Detects sample mentioned in the Dubnium Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" diff --git a/yara/apt_duqu2.yar b/yara/apt_duqu2.yar index e07c8b2..7987edb 100644 --- a/yara/apt_duqu2.yar +++ b/yara/apt_duqu2.yar @@ -10,6 +10,7 @@ rule Duqu2_Sample1 { meta: description = "Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" date = "2016-07-02" @@ -28,6 +29,7 @@ rule Duqu2_Sample1 { rule Duqu2_Sample2 { meta: description = "Detects Duqu2 Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" date = "2016-07-02" @@ -48,6 +50,7 @@ rule Duqu2_Sample2 { rule Duqu2_Sample3 { meta: description = "Detects Duqu2 Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" date = "2016-07-02" @@ -62,6 +65,7 @@ rule Duqu2_Sample3 { rule Duqu2_Sample4 { meta: description = "Detects Duqu2 Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" date = "2016-07-02" @@ -78,6 +82,7 @@ rule Duqu2_Sample4 { rule Duqu2_UAs { meta: description = "Detects Duqu2 Executable based on the specific UAs in the file" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" date = "2016-07-02" diff --git a/yara/apt_emissary.yar b/yara/apt_emissary.yar index 55fd2d5..5d0412b 100644 --- a/yara/apt_emissary.yar +++ b/yara/apt_emissary.yar @@ -8,6 +8,7 @@ rule Emissary_APT_Malware_1 { meta: description = "Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/V0epcf" date = "2016-01-02" diff --git a/yara/apt_eqgrp.yar b/yara/apt_eqgrp.yar index 828be7b..546d864 100644 --- a/yara/apt_eqgrp.yar +++ b/yara/apt_eqgrp.yar @@ -12,6 +12,7 @@ import "pe" rule EQGRP_noclient_3_0_5 { meta: description = "Detects tool from EQGRP toolset - file noclient-3.0.5.3" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-15" @@ -29,6 +30,7 @@ rule EQGRP_noclient_3_0_5 { rule EQGRP_installdate { meta: description = "Detects tool from EQGRP toolset - file installdate.pl" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-15" @@ -48,6 +50,7 @@ rule EQGRP_installdate { rule EQGRP_teflondoor { meta: description = "Detects tool from EQGRP toolset - file teflondoor.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-15" @@ -69,6 +72,7 @@ rule EQGRP_teflondoor { rule EQGRP_durablenapkin_solaris_2_0_1 { meta: description = "Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-15" @@ -86,6 +90,7 @@ rule EQGRP_durablenapkin_solaris_2_0_1 { rule EQGRP_teflonhandle { meta: description = "Detects tool from EQGRP toolset - file teflonhandle.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-15" @@ -103,6 +108,7 @@ rule EQGRP_teflonhandle { rule EQGRP_false { meta: description = "Detects tool from EQGRP toolset - file false.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-15" @@ -124,6 +130,7 @@ rule EQGRP_false { rule EQGRP_dn_1_0_2_1 { meta: description = "Detects tool from EQGRP toolset - file dn.1.0.2.1.linux" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-15" @@ -140,6 +147,7 @@ rule EQGRP_dn_1_0_2_1 { rule EQGRP_morel { meta: description = "Detects tool from EQGRP toolset - file morel.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-15" @@ -156,6 +164,7 @@ rule EQGRP_morel { rule EQGRP_bc_parser { meta: description = "Detects tool from EQGRP toolset - file bc-parser" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-15" @@ -171,6 +180,7 @@ rule EQGRP_bc_parser { rule EQGRP_1212 { meta: description = "Detects tool from EQGRP toolset - file 1212.pl" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-15" @@ -189,6 +199,7 @@ rule EQGRP_1212 { rule EQGRP_1212_dehex { meta: description = "Detects tool from EQGRP toolset - from files 1212.pl, dehex.pl" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-15" @@ -215,6 +226,7 @@ rule EQGRP_1212_dehex { rule install_get_persistent_filenames { meta: description = "EQGRP Toolset Firewall - file install_get_persistent_filenames" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -228,6 +240,7 @@ rule install_get_persistent_filenames { rule EQGRP_create_dns_injection { meta: description = "EQGRP Toolset Firewall - file create_dns_injection.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -242,6 +255,7 @@ rule EQGRP_create_dns_injection { rule EQGRP_screamingplow { meta: description = "EQGRP Toolset Firewall - file screamingplow.sh" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -256,6 +270,7 @@ rule EQGRP_screamingplow { rule EQGRP_MixText { meta: description = "EQGRP Toolset Firewall - file MixText.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -269,6 +284,7 @@ rule EQGRP_MixText { rule EQGRP_tunnel_state_reader { meta: description = "EQGRP Toolset Firewall - file tunnel_state_reader" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -283,6 +299,7 @@ rule EQGRP_tunnel_state_reader { rule EQGRP_payload { meta: description = "EQGRP Toolset Firewall - file payload.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -297,6 +314,7 @@ rule EQGRP_payload { rule EQGRP_eligiblecandidate { meta: description = "EQGRP Toolset Firewall - file eligiblecandidate.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -314,6 +332,7 @@ rule EQGRP_eligiblecandidate { rule EQGRP_BUSURPER_2211_724 { meta: description = "EQGRP Toolset Firewall - file BUSURPER-2211-724.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -331,6 +350,7 @@ rule EQGRP_BUSURPER_2211_724 { rule EQGRP_networkProfiler_orderScans { meta: description = "EQGRP Toolset Firewall - file networkProfiler_orderScans.sh" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -345,6 +365,7 @@ rule EQGRP_networkProfiler_orderScans { rule EQGRP_epicbanana_2_1_0_1 { meta: description = "EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -359,6 +380,7 @@ rule EQGRP_epicbanana_2_1_0_1 { rule EQGRP_sniffer_xml2pcap { meta: description = "EQGRP Toolset Firewall - file sniffer_xml2pcap" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -373,6 +395,7 @@ rule EQGRP_sniffer_xml2pcap { rule EQGRP_BananaAid { meta: description = "EQGRP Toolset Firewall - file BananaAid" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -389,6 +412,7 @@ rule EQGRP_BananaAid { rule EQGRP_bo { meta: description = "EQGRP Toolset Firewall - file bo" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -406,6 +430,7 @@ rule EQGRP_bo { rule EQGRP_SecondDate_2211 { meta: description = "EQGRP Toolset Firewall - file SecondDate-2211.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -422,6 +447,7 @@ rule EQGRP_SecondDate_2211 { rule EQGRP_config_jp1_UA { meta: description = "EQGRP Toolset Firewall - file config_jp1_UA.pl" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -438,6 +464,7 @@ rule EQGRP_config_jp1_UA { rule EQGRP_userscript { meta: description = "EQGRP Toolset Firewall - file userscript.FW" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -451,6 +478,7 @@ rule EQGRP_userscript { rule EQGRP_BBALL_M50FW08_2201 { meta: description = "EQGRP Toolset Firewall - file BBALL_M50FW08-2201.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -469,6 +497,7 @@ rule EQGRP_BBALL_M50FW08_2201 { rule EQGRP_BUSURPER_3001_724 { meta: description = "EQGRP Toolset Firewall - file BUSURPER-3001-724.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -484,6 +513,7 @@ rule EQGRP_BUSURPER_3001_724 { rule EQGRP_workit { meta: description = "EQGRP Toolset Firewall - file workit.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -507,6 +537,7 @@ rule EQGRP_workit { rule EQGRP_tinyhttp_setup { meta: description = "EQGRP Toolset Firewall - file tinyhttp_setup.sh" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -523,6 +554,7 @@ rule EQGRP_tinyhttp_setup { rule EQGRP_shellcode { meta: description = "EQGRP Toolset Firewall - file shellcode.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -542,6 +574,7 @@ rule EQGRP_shellcode { rule EQGRP_EPBA { meta: description = "EQGRP Toolset Firewall - file EPBA.script" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -561,6 +594,7 @@ rule EQGRP_EPBA { rule EQGRP_BPIE { meta: description = "EQGRP Toolset Firewall - file BPIE-2201.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -581,6 +615,7 @@ rule EQGRP_BPIE { rule EQGRP_jetplow_SH { meta: description = "EQGRP Toolset Firewall - file jetplow.sh" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -597,6 +632,7 @@ rule EQGRP_jetplow_SH { rule EQGRP_BBANJO { meta: description = "EQGRP Toolset Firewall - file BBANJO-3011.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -616,6 +652,7 @@ rule EQGRP_BBANJO { rule EQGRP_BPATROL_2201 { meta: description = "EQGRP Toolset Firewall - file BPATROL-2201.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -633,6 +670,7 @@ rule EQGRP_BPATROL_2201 { rule EQGRP_extrabacon { meta: description = "EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -650,6 +688,7 @@ rule EQGRP_extrabacon { rule EQGRP_sploit_py { meta: description = "EQGRP Toolset Firewall - file sploit.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -665,6 +704,7 @@ rule EQGRP_sploit_py { rule EQGRP_uninstallPBD { meta: description = "EQGRP Toolset Firewall - file uninstallPBD.bat" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -680,6 +720,7 @@ rule EQGRP_uninstallPBD { rule EQGRP_BICECREAM { meta: description = "EQGRP Toolset Firewall - file BICECREAM-2140" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -701,6 +742,7 @@ rule EQGRP_BICECREAM { rule EQGRP_create_http_injection { meta: description = "EQGRP Toolset Firewall - file create_http_injection.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -719,6 +761,7 @@ rule EQGRP_create_http_injection { rule EQGRP_BFLEA_2201 { meta: description = "EQGRP Toolset Firewall - file BFLEA-2201.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -738,6 +781,7 @@ rule EQGRP_BFLEA_2201 { rule EQGRP_BpfCreator_RHEL4 { meta: description = "EQGRP Toolset Firewall - file BpfCreator-RHEL4" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -755,6 +799,7 @@ rule EQGRP_BpfCreator_RHEL4 { rule EQGRP_StoreFc { meta: description = "EQGRP Toolset Firewall - file StoreFc.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -770,6 +815,7 @@ rule EQGRP_StoreFc { rule EQGRP_hexdump { meta: description = "EQGRP Toolset Firewall - file hexdump.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -786,6 +832,7 @@ rule EQGRP_hexdump { rule EQGRP_BBALL { meta: description = "EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -807,6 +854,7 @@ rule EQGRP_BBALL { rule EQGRP_BARPUNCH_BPICKER { meta: description = "EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -826,6 +874,7 @@ rule EQGRP_BARPUNCH_BPICKER { rule EQGRP_Implants_Gen6 { meta: description = "EQGRP Toolset Firewall" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -854,6 +903,7 @@ rule EQGRP_Implants_Gen6 { rule EQGRP_Implants_Gen5 { meta: description = "EQGRP Toolset Firewall" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -879,6 +929,7 @@ rule EQGRP_Implants_Gen5 { rule EQGRP_pandarock { meta: description = "EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -906,6 +957,7 @@ rule EQGRP_pandarock { rule EQGRP_BananaUsurper_writeJetPlow { meta: description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -925,6 +977,7 @@ rule EQGRP_BananaUsurper_writeJetPlow { rule EQGRP_Implants_Gen4 { meta: description = "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -946,6 +999,7 @@ rule EQGRP_Implants_Gen4 { rule EQGRP_Implants_Gen3 { meta: description = "EQGRP Toolset Firewall" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -969,6 +1023,7 @@ rule EQGRP_Implants_Gen3 { rule EQGRP_BLIAR_BLIQUER { meta: description = "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -1002,6 +1057,7 @@ rule EQGRP_BLIAR_BLIQUER { rule EQGRP_sploit { meta: description = "EQGRP Toolset Firewall - from files sploit.py, sploit.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -1024,6 +1080,7 @@ rule EQGRP_sploit { rule EQGRP_Implants_Gen2 { meta: description = "EQGRP Toolset Firewall" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -1055,6 +1112,7 @@ rule EQGRP_Implants_Gen2 { rule EQGRP_Implants_Gen1 { meta: description = "EQGRP Toolset Firewall" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -1084,6 +1142,7 @@ rule EQGRP_Implants_Gen1 { rule EQGRP_eligiblebombshell_generic { meta: description = "EQGRP Toolset Firewall - from files eligiblebombshell_1.2.0.1.py, eligiblebombshell_1.2.0.1.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -1101,6 +1160,7 @@ rule EQGRP_eligiblebombshell_generic { rule EQGRP_ssh_telnet_29 { meta: description = "EQGRP Toolset Firewall - from files ssh.py, telnet.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -1124,6 +1184,7 @@ rule EQGRP_ssh_telnet_29 { rule EQGRP_tinyexec { meta: description = "EQGRP Toolset Firewall - from files tinyexec" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -1137,6 +1198,7 @@ rule EQGRP_tinyexec { rule EQGRP_callbacks { meta: description = "EQGRP Toolset Firewall - Callback addresses" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -1149,6 +1211,7 @@ rule EQGRP_callbacks { rule EQGRP_Extrabacon_Output { meta: description = "EQGRP Toolset Firewall - Extrabacon exploit output" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -1165,6 +1228,7 @@ rule EQGRP_Extrabacon_Output { rule EQGRP_Unique_Strings { meta: description = "EQGRP Toolset Firewall - Unique strings" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research" date = "2016-08-16" @@ -1178,6 +1242,7 @@ rule EQGRP_Unique_Strings { rule EQGRP_RC5_RC6_Opcode { meta: description = "EQGRP Toolset Firewall - RC5 / RC6 opcode" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/incidents/75812/the-equation-giveaway/" date = "2016-08-17" @@ -1206,6 +1271,7 @@ rule EQGRP_RC5_RC6_Opcode { rule EquationGroup_modifyAudit_Implant { meta: description = "EquationGroup Malware - file modifyAudit_Implant.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1222,6 +1288,7 @@ rule EquationGroup_modifyAudit_Implant { rule EquationGroup_modifyAudit_Lp { meta: description = "EquationGroup Malware - file modifyAudit_Lp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1239,6 +1306,7 @@ rule EquationGroup_modifyAudit_Lp { rule EquationGroup_ProcessHide_Lp { meta: description = "EquationGroup Malware - file ProcessHide_Lp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1258,6 +1326,7 @@ rule EquationGroup_ProcessHide_Lp { rule EquationGroup_pwdump_Implant { meta: description = "EquationGroup Malware - file pwdump_Implant.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1273,6 +1342,7 @@ rule EquationGroup_pwdump_Implant { rule EquationGroup_EquationDrug_Gen_5 { meta: description = "EquationGroup Malware - file PC_Level3_http_dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1289,6 +1359,7 @@ rule EquationGroup_EquationDrug_Gen_5 { rule EquationGroup_PC_Level3_http_flav_dll { meta: description = "EquationGroup Malware - file PC_Level3_http_flav_dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1306,6 +1377,7 @@ rule EquationGroup_PC_Level3_http_flav_dll { rule EquationGroup_LSADUMP_Lp { meta: description = "EquationGroup Malware - file LSADUMP_Lp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1319,6 +1391,7 @@ rule EquationGroup_LSADUMP_Lp { rule EquationGroup_EquationDrug_mstcp32 { meta: description = "EquationGroup Malware - file mstcp32.sys" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1340,6 +1413,7 @@ rule EquationGroup_EquationDrug_mstcp32 { rule EquationGroup_nethide_Lp { meta: description = "EquationGroup Malware - file nethide_Lp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1357,6 +1431,7 @@ rule EquationGroup_nethide_Lp { rule EquationGroup_PC_Level4_flav_dll_x64 { meta: description = "EquationGroup Malware - file PC_Level4_flav_dll_x64" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1372,6 +1447,7 @@ rule EquationGroup_PC_Level4_flav_dll_x64 { rule EquationGroup_PC_Level4_flav_exe { meta: description = "EquationGroup Malware - file PC_Level4_flav_exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1390,6 +1466,7 @@ rule EquationGroup_PC_Level4_flav_exe { rule EquationGroup_processinfo_Implant { meta: description = "EquationGroup Malware - file processinfo_Implant.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1421,6 +1498,7 @@ rule EquationGroup_EquationDrug_Gen_2 { rule EquationGroup_EquationDrug_ntevt { meta: description = "EquationGroup Malware - file ntevt.sys" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1435,6 +1513,7 @@ rule EquationGroup_EquationDrug_ntevt { rule EquationGroup_nethide_Implant { meta: description = "EquationGroup Malware - file nethide_Implant.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1464,6 +1543,7 @@ rule EquationGroup_EquationDrug_Gen_4 { rule EquationGroup_EquationDrug_tdi6 { meta: description = "EquationGroup Malware - file tdi6.sys" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1480,6 +1560,7 @@ rule EquationGroup_EquationDrug_tdi6 { rule EquationGroup_modifyAuthentication_Implant { meta: description = "EquationGroup Malware - file modifyAuthentication_Implant.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1497,6 +1578,7 @@ rule EquationGroup_modifyAuthentication_Implant { rule EquationGroup_ntfltmgr { meta: description = "EquationGroup Malware - file ntfltmgr.sys" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1513,6 +1595,7 @@ rule EquationGroup_ntfltmgr { rule EquationGroup_DXGHLP16 { meta: description = "EquationGroup Malware - file DXGHLP16.SYS" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1534,6 +1617,7 @@ rule EquationGroup_DXGHLP16 { rule EquationGroup_EquationDrug_msgkd { meta: description = "EquationGroup Malware - file msgkd.ex_" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1548,6 +1632,7 @@ rule EquationGroup_EquationDrug_msgkd { rule EquationGroup_RunAsChild_Lp { meta: description = "EquationGroup Malware - file RunAsChild_Lp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1563,6 +1648,7 @@ rule EquationGroup_RunAsChild_Lp { rule EquationGroup_EquationDrug_Gen_6 { meta: description = "EquationGroup Malware - file PC_Level3_dll_x64" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1578,6 +1664,7 @@ rule EquationGroup_EquationDrug_Gen_6 { rule EquationGroup_PC_Level3_http_flav_dll_x64 { meta: description = "EquationGroup Malware - file PC_Level3_http_flav_dll_x64" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1610,6 +1697,7 @@ rule EquationGroup_EquationDrug_Gen_3 { rule EquationGroup_GetAdmin_Lp { meta: description = "EquationGroup Malware - file GetAdmin_Lp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1624,6 +1712,7 @@ rule EquationGroup_GetAdmin_Lp { rule EquationGroup_ModifyGroup_Lp { meta: description = "EquationGroup Malware - file ModifyGroup_Lp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1638,6 +1727,7 @@ rule EquationGroup_ModifyGroup_Lp { rule EquationGroup_pwdump_Lp { meta: description = "EquationGroup Malware - file pwdump_Lp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1651,6 +1741,7 @@ rule EquationGroup_pwdump_Lp { rule EquationGroup_EventLogEdit_Implant { meta: description = "EquationGroup Malware - file EventLogEdit_Implant.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1666,6 +1757,7 @@ rule EquationGroup_EventLogEdit_Implant { rule EquationGroup_PortMap_Lp { meta: description = "EquationGroup Malware - file PortMap_Lp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1681,6 +1773,7 @@ rule EquationGroup_PortMap_Lp { rule EquationGroup_ProcessOptions_Lp { meta: description = "EquationGroup Malware - file ProcessOptions_Lp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1694,6 +1787,7 @@ rule EquationGroup_ProcessOptions_Lp { rule EquationGroup_PassFreely_Lp { meta: description = "EquationGroup Malware - file PassFreely_Lp.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" @@ -1711,6 +1805,7 @@ rule EquationGroup_PassFreely_Lp { rule EquationGroup_EquationDrug_Gen_1 { meta: description = "EquationGroup Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tcSoiJ" date = "2017-01-13" diff --git a/yara/apt_eqgrp_apr17.yar b/yara/apt_eqgrp_apr17.yar index ca13265..82b27ab 100644 --- a/yara/apt_eqgrp_apr17.yar +++ b/yara/apt_eqgrp_apr17.yar @@ -15,6 +15,7 @@ rule EquationGroup_emptycriss { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file emptycriss" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -30,6 +31,7 @@ rule EquationGroup_emptycriss { rule EquationGroup_scripme { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file scripme" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -46,6 +48,7 @@ rule EquationGroup_scripme { rule EquationGroup_cryptTool { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file cryptTool" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -60,6 +63,7 @@ rule EquationGroup_cryptTool { rule EquationGroup_dumppoppy { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file dumppoppy" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -76,6 +80,7 @@ rule EquationGroup_dumppoppy { rule EquationGroup_Auditcleaner { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -94,6 +99,7 @@ rule EquationGroup_Auditcleaner { rule EquationGroup_reverse_shell { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file reverse.shell.script" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -108,6 +114,7 @@ rule EquationGroup_reverse_shell { rule EquationGroup_tnmunger { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file tnmunger" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -122,6 +129,7 @@ rule EquationGroup_tnmunger { rule EquationGroup_ys_ratload { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ys.ratload.sh" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -137,6 +145,7 @@ rule EquationGroup_ys_ratload { rule EquationGroup_eh_1_1_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file eh.1.1.0.0" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -152,6 +161,7 @@ rule EquationGroup_eh_1_1_0 { rule EquationGroup_evolvingstrategy_1_0_1 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file evolvingstrategy.1.0.1.1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -170,6 +180,7 @@ rule EquationGroup_evolvingstrategy_1_0_1 { rule EquationGroup_toast_v3_2_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file toast_v3.2.0.1-linux" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -185,6 +196,7 @@ rule EquationGroup_toast_v3_2_0 { rule EquationGroup_sshobo { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file sshobo" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -201,6 +213,7 @@ rule EquationGroup_sshobo { rule EquationGroup_magicjack_v1_1_0_0_client_1_1_0_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file magicjack_v1.1.0.0_client-1.1.0.0.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -215,6 +228,7 @@ rule EquationGroup_magicjack_v1_1_0_0_client_1_1_0_0 { rule EquationGroup_packrat { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file packrat" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -230,6 +244,7 @@ rule EquationGroup_packrat { rule EquationGroup_telex { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file telex" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -246,6 +261,7 @@ rule EquationGroup_telex { rule EquationGroup_calserver { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file calserver" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -261,6 +277,7 @@ rule EquationGroup_calserver { rule EquationGroup_porkclient { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file porkclient" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -276,6 +293,7 @@ rule EquationGroup_porkclient { rule EquationGroup_electricslide { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file electricslide" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -292,6 +310,7 @@ rule EquationGroup_electricslide { rule EquationGroup_libXmexploit2 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file libXmexploit2.8" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -307,6 +326,7 @@ rule EquationGroup_libXmexploit2 { rule EquationGroup_wrap_telnet { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -322,6 +342,7 @@ rule EquationGroup_wrap_telnet { rule EquationGroup_elgingamble { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file elgingamble" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -338,6 +359,7 @@ rule EquationGroup_elgingamble { rule EquationGroup_cmsd { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file cmsd" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -355,6 +377,7 @@ rule EquationGroup_cmsd { rule EquationGroup_ebbshave { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -371,6 +394,7 @@ rule EquationGroup_ebbshave { rule EquationGroup_eggbasket { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file eggbasket" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -386,6 +410,7 @@ rule EquationGroup_eggbasket { rule EquationGroup_jparsescan { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file jparsescan" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -400,6 +425,7 @@ rule EquationGroup_jparsescan { rule EquationGroup_sambal { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file sambal" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -417,6 +443,7 @@ rule EquationGroup_sambal { rule EquationGroup_pclean_v2_1_1_2 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file pclean.v2.1.1.0-linux-i386" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -431,6 +458,7 @@ rule EquationGroup_pclean_v2_1_1_2 { rule EquationGroup_envisioncollision { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file envisioncollision" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -447,6 +475,7 @@ rule EquationGroup_envisioncollision { rule EquationGroup_cmsex { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file cmsex" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -464,6 +493,7 @@ rule EquationGroup_cmsex { rule EquationGroup_exze { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file exze" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -479,6 +509,7 @@ rule EquationGroup_exze { rule EquationGroup_porkserver { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file porkserver" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -495,6 +526,7 @@ rule EquationGroup_porkserver { rule EquationGroup_DUL { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file DUL" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -509,6 +541,7 @@ rule EquationGroup_DUL { rule EquationGroup_slugger2 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file slugger2" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -528,6 +561,7 @@ rule EquationGroup_slugger2 { rule EquationGroup_ebbisland { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ebbisland" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -546,6 +580,7 @@ rule EquationGroup_ebbisland { rule EquationGroup_jackpop { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file jackpop" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -564,6 +599,7 @@ rule EquationGroup_jackpop { rule EquationGroup_parsescan { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file parsescan" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -578,6 +614,7 @@ rule EquationGroup_parsescan { rule EquationGroup_jscan { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file jscan" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -592,6 +629,7 @@ rule EquationGroup_jscan { rule EquationGroup_promptkill { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file promptkill" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -606,6 +644,7 @@ rule EquationGroup_promptkill { rule EquationGroup_epoxyresin_v1_0_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -623,6 +662,7 @@ rule EquationGroup_epoxyresin_v1_0_0 { rule EquationGroup_estopmoonlit { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -639,6 +679,7 @@ rule EquationGroup_estopmoonlit { rule EquationGroup_envoytomato { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file envoytomato" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -653,6 +694,7 @@ rule EquationGroup_envoytomato { rule EquationGroup_smash { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file smash" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -668,6 +710,7 @@ rule EquationGroup_smash { rule EquationGroup_ratload { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ratload" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -683,6 +726,7 @@ rule EquationGroup_ratload { rule EquationGroup_ys { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ys.auto" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -698,6 +742,7 @@ rule EquationGroup_ys { rule EquationGroup_ewok { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ewok" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -714,6 +759,7 @@ rule EquationGroup_ewok { rule EquationGroup_xspy { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file xspy" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -727,6 +773,7 @@ rule EquationGroup_xspy { rule EquationGroup_estesfox { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file estesfox" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -740,6 +787,7 @@ rule EquationGroup_estesfox { rule EquationGroup_elatedmonkey_1_0_1_1 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -756,6 +804,7 @@ rule EquationGroup_elatedmonkey_1_0_1_1 { rule EquationGroup_scanner { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file scanner" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -773,6 +822,7 @@ rule EquationGroup_scanner { rule EquationGroup__ftshell_ftshell_v3_10_3_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -791,6 +841,7 @@ rule EquationGroup__ftshell_ftshell_v3_10_3_0 { rule EquationGroup__scanner_scanner_v2_1_2 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -810,6 +861,7 @@ rule EquationGroup__scanner_scanner_v2_1_2 { rule EquationGroup__ghost_sparc_ghost_x86_3 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -828,6 +880,7 @@ rule EquationGroup__ghost_sparc_ghost_x86_3 { rule EquationGroup__pclean_v2_1_1_pclean_v2_1_1_4 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files pclean.v2.1.1.0-linux-i386, pclean.v2.1.1.0-linux-x86_64" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -844,6 +897,7 @@ rule EquationGroup__pclean_v2_1_1_pclean_v2_1_1_4 { rule EquationGroup__jparsescan_parsescan_5 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -862,6 +916,7 @@ rule EquationGroup__jparsescan_parsescan_5 { rule EquationGroup__funnelout_v4_1_0_1 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -879,6 +934,7 @@ rule EquationGroup__funnelout_v4_1_0_1 { rule EquationGroup__magicjack_v1_1_0_0_client { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -896,6 +952,7 @@ rule EquationGroup__magicjack_v1_1_0_0_client { rule EquationGroup__ftshell { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" @@ -922,6 +979,7 @@ rule EquationGroup__ftshell { rule EquationGroup_store_linux_i386_v_3_3_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -937,6 +995,7 @@ rule EquationGroup_store_linux_i386_v_3_3_0 { rule EquationGroup_morerats_client_genkey { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -951,6 +1010,7 @@ rule EquationGroup_morerats_client_genkey { rule EquationGroup_cursetingle_2_0_1_2_mswin32_v_2_0_1 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -965,6 +1025,7 @@ rule EquationGroup_cursetingle_2_0_1_2_mswin32_v_2_0_1 { rule EquationGroup_cursesleepy_mswin32_v_1_0_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -980,6 +1041,7 @@ rule EquationGroup_cursesleepy_mswin32_v_1_0_0 { rule EquationGroup_porkserver_v3_0_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -997,6 +1059,7 @@ rule EquationGroup_porkserver_v3_0_0 { rule EquationGroup_cursehelper_win2k_i686_v_2_2_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1013,6 +1076,7 @@ rule EquationGroup_cursehelper_win2k_i686_v_2_2_0 { rule EquationGroup_morerats_client_addkey { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1028,6 +1092,7 @@ rule EquationGroup_morerats_client_addkey { rule EquationGroup_noclient_3_3_2 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1045,6 +1110,7 @@ rule EquationGroup_noclient_3_3_2 { rule EquationGroup_curseflower_mswin32_v_1_0_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1060,6 +1126,7 @@ rule EquationGroup_curseflower_mswin32_v_1_0_0 { rule EquationGroup_tmpwatch { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1074,6 +1141,7 @@ rule EquationGroup_tmpwatch { rule EquationGroup_orleans_stride_sunos5_9_v_2_4_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1089,6 +1157,7 @@ rule EquationGroup_orleans_stride_sunos5_9_v_2_4_0 { rule EquationGroup_morerats_client_noprep { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1104,6 +1173,7 @@ rule EquationGroup_morerats_client_noprep { rule EquationGroup_cursezinger_linuxrh7_3_v_2_0_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1120,6 +1190,7 @@ rule EquationGroup_cursezinger_linuxrh7_3_v_2_0_0 { rule EquationGroup_seconddate_ImplantStandalone_3_0_3 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1135,6 +1206,7 @@ rule EquationGroup_seconddate_ImplantStandalone_3_0_3 { rule EquationGroup_watcher_solaris_i386_v_3_3_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1151,6 +1223,7 @@ rule EquationGroup_watcher_solaris_i386_v_3_3_0 { rule EquationGroup_gr_dev_bin_now { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1165,6 +1238,7 @@ rule EquationGroup_gr_dev_bin_now { rule EquationGroup_gr_dev_bin_post { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1178,6 +1252,7 @@ rule EquationGroup_gr_dev_bin_post { rule EquationGroup_curseyo_win2k_v_1_0_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1195,6 +1270,7 @@ rule EquationGroup_curseyo_win2k_v_1_0_0 { rule EquationGroup_gr { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1209,6 +1285,7 @@ rule EquationGroup_gr { rule EquationGroup_curseroot_win2k_v_2_1_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1225,6 +1302,7 @@ rule EquationGroup_curseroot_win2k_v_2_1_0 { rule EquationGroup_cursewham_curserazor_cursezinger_curseroot_win2k { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1245,6 +1323,7 @@ rule EquationGroup_cursewham_curserazor_cursezinger_curseroot_win2k { rule EquationGroup_watcher_linux_i386_v_3_3_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1262,6 +1341,7 @@ rule EquationGroup_watcher_linux_i386_v_3_3_0 { rule EquationGroup_charm_saver_win2k_v_2_0_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1278,6 +1358,7 @@ rule EquationGroup_charm_saver_win2k_v_2_0_0 { rule EquationGroup_cursehappy_win2k_v_6_1_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1292,6 +1373,7 @@ rule EquationGroup_cursehappy_win2k_v_6_1_0 { rule EquationGroup_morerats_client_Store { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1308,6 +1390,7 @@ rule EquationGroup_morerats_client_Store { rule EquationGroup_watcher_linux_x86_64_v_3_3_0 { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1323,6 +1406,7 @@ rule EquationGroup_watcher_linux_x86_64_v_3_3_0 { rule EquationGroup_linux_exactchange { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1343,6 +1427,7 @@ rule EquationGroup_linux_exactchange { rule EquationGroup_x86_linux_exactchange { meta: description = "Equation Group hack tool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" @@ -1369,6 +1454,7 @@ rule EquationGroup_x86_linux_exactchange { rule EquationGroup_Toolset_Apr17_Eclipsedwing_Rpcproxy_Pcdlllauncher { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1386,6 +1472,7 @@ rule EquationGroup_Toolset_Apr17_Eclipsedwing_Rpcproxy_Pcdlllauncher { rule EquationGroup_Toolset_Apr17_Explodingcantouch_1_2_1 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1401,6 +1488,7 @@ rule EquationGroup_Toolset_Apr17_Explodingcantouch_1_2_1 { rule EquationGroup_Toolset_Apr17_Architouch_1_0_0 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1414,6 +1502,7 @@ rule EquationGroup_Toolset_Apr17_Architouch_1_0_0 { rule EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1430,6 +1519,7 @@ rule EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1 { rule EquationGroup_Toolset_Apr17_Esteemaudit_2_1_0 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1444,6 +1534,7 @@ rule EquationGroup_Toolset_Apr17_Esteemaudit_2_1_0 { rule EquationGroup_Toolset_Apr17_Darkpulsar_1_1_0 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1458,6 +1549,7 @@ rule EquationGroup_Toolset_Apr17_Darkpulsar_1_1_0 { rule EquationGroup_Toolset_Apr17_Educatedscholar_1_0_0 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1472,6 +1564,7 @@ rule EquationGroup_Toolset_Apr17_Educatedscholar_1_0_0 { rule EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1487,6 +1580,7 @@ rule EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1 { rule EquationGroup_Toolset_Apr17_Erraticgophertouch_1_0_1 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1502,6 +1596,7 @@ rule EquationGroup_Toolset_Apr17_Erraticgophertouch_1_0_1 { rule EquationGroup_Toolset_Apr17_Smbtouch_1_1_1 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1515,6 +1610,7 @@ rule EquationGroup_Toolset_Apr17_Smbtouch_1_1_1 { rule EquationGroup_Toolset_Apr17_Educatedscholartouch_1_0_0 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1529,6 +1625,7 @@ rule EquationGroup_Toolset_Apr17_Educatedscholartouch_1_0_0 { rule EquationGroup_Toolset_Apr17_Esteemaudittouch_2_1_0 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1543,6 +1640,7 @@ rule EquationGroup_Toolset_Apr17_Esteemaudittouch_2_1_0 { rule EquationGroup_Toolset_Apr17_Rpctouch_2_1_0 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1557,6 +1655,7 @@ rule EquationGroup_Toolset_Apr17_Rpctouch_2_1_0 { rule EquationGroup_Toolset_Apr17_Mofconfig_1_0_0 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1570,6 +1669,7 @@ rule EquationGroup_Toolset_Apr17_Mofconfig_1_0_0 { rule EquationGroup_Toolset_Apr17_Easypi_Explodingcan { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1586,6 +1686,7 @@ rule EquationGroup_Toolset_Apr17_Easypi_Explodingcan { rule EquationGroup_Toolset_Apr17_Eclipsedwingtouch_1_0_4 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1600,6 +1701,7 @@ rule EquationGroup_Toolset_Apr17_Eclipsedwingtouch_1_0_4 { rule EquationGroup_Toolset_Apr17_Iistouch_1_2_2 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1614,6 +1716,7 @@ rule EquationGroup_Toolset_Apr17_Iistouch_1_2_2 { rule EquationGroup_Toolset_Apr17_Namedpipetouch_2_0_0 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1633,6 +1736,7 @@ rule EquationGroup_Toolset_Apr17_Namedpipetouch_2_0_0 { rule EquationGroup_Toolset_Apr17_Easybee_1_0_1 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1647,6 +1751,7 @@ rule EquationGroup_Toolset_Apr17_Easybee_1_0_1 { rule EquationGroup_Toolset_Apr17_Regread_1_1_1 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1661,6 +1766,7 @@ rule EquationGroup_Toolset_Apr17_Regread_1_1_1 { rule EquationGroup_Toolset_Apr17_Englishmansdentist_1_2_0 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1675,6 +1781,7 @@ rule EquationGroup_Toolset_Apr17_Englishmansdentist_1_2_0 { rule EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1695,6 +1802,7 @@ rule EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch { rule EquationGroup_Toolset_Apr17_Eternalromance_2 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1712,6 +1820,7 @@ rule EquationGroup_Toolset_Apr17_Eternalromance_2 { rule EquationGroup_Toolset_Apr17__Emphasismine { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1731,6 +1840,7 @@ rule EquationGroup_Toolset_Apr17__Emphasismine { rule EquationGroup_Toolset_Apr17_Eternalromance { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1749,6 +1859,7 @@ rule EquationGroup_Toolset_Apr17_Eternalromance { rule EquationGroup_Toolset_Apr17_Gen4 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1780,6 +1891,7 @@ rule EquationGroup_Toolset_Apr17_Gen4 { rule EquationGroup_Toolset_Apr17_Gen1 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1799,6 +1911,7 @@ rule EquationGroup_Toolset_Apr17_Gen1 { rule EquationGroup_Toolset_Apr17_Gen2 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1825,6 +1938,7 @@ rule EquationGroup_Toolset_Apr17_Gen2 { rule EquationGroup_Toolset_Apr17_Gen3 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1863,6 +1977,7 @@ rule EquationGroup_Toolset_Apr17_Gen3 { rule EquationGroup_Toolset_Apr17_yak { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1879,6 +1994,7 @@ rule EquationGroup_Toolset_Apr17_yak { rule EquationGroup_Toolset_Apr17_AdUser_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1893,6 +2009,7 @@ rule EquationGroup_Toolset_Apr17_AdUser_Implant { rule EquationGroup_Toolset_Apr17_RemoteExecute_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1917,6 +2034,7 @@ rule EquationGroup_Toolset_Apr17_RemoteExecute_Implant { rule EquationGroup_Toolset_Apr17_Banner_Implant9x { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1932,6 +2050,7 @@ rule EquationGroup_Toolset_Apr17_Banner_Implant9x { rule EquationGroup_Toolset_Apr17_greatdoc_dll_config { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1948,6 +2067,7 @@ rule EquationGroup_Toolset_Apr17_greatdoc_dll_config { rule EquationGroup_Toolset_Apr17_scanner { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1965,6 +2085,7 @@ rule EquationGroup_Toolset_Apr17_scanner { rule EquationGroup_Toolset_Apr17_Mcl_NtMemory_Std { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1980,6 +2101,7 @@ rule EquationGroup_Toolset_Apr17_Mcl_NtMemory_Std { rule EquationGroup_Toolset_Apr17_tacothief { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -1993,6 +2115,7 @@ rule EquationGroup_Toolset_Apr17_tacothief { rule EquationGroup_Toolset_Apr17_ntevt { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2012,6 +2135,7 @@ rule EquationGroup_Toolset_Apr17_ntevt { rule EquationGroup_Toolset_Apr17_Processes_Target { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2027,6 +2151,7 @@ rule EquationGroup_Toolset_Apr17_Processes_Target { rule EquationGroup_Toolset_Apr17_st_lp { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2043,6 +2168,7 @@ rule EquationGroup_Toolset_Apr17_st_lp { rule EquationGroup_Toolset_Apr17_EpWrapper { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2058,6 +2184,7 @@ rule EquationGroup_Toolset_Apr17_EpWrapper { rule EquationGroup_Toolset_Apr17_DiBa_Target_2000 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2075,6 +2202,7 @@ rule EquationGroup_Toolset_Apr17_DiBa_Target_2000 { rule EquationGroup_Toolset_Apr17_DllLoad_Target { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2092,6 +2220,7 @@ rule EquationGroup_Toolset_Apr17_DllLoad_Target { rule EquationGroup_Toolset_Apr17_EXPA { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2108,6 +2237,7 @@ rule EquationGroup_Toolset_Apr17_EXPA { rule EquationGroup_Toolset_Apr17_RemoteExecute_Target { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2124,6 +2254,7 @@ rule EquationGroup_Toolset_Apr17_RemoteExecute_Target { rule EquationGroup_Toolset_Apr17_DS_ParseLogs { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2139,6 +2270,7 @@ rule EquationGroup_Toolset_Apr17_DS_ParseLogs { rule EquationGroup_Toolset_Apr17_Oracle_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2154,6 +2286,7 @@ rule EquationGroup_Toolset_Apr17_Oracle_Implant { rule EquationGroup_Toolset_Apr17_DmGz_Target { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2168,6 +2301,7 @@ rule EquationGroup_Toolset_Apr17_DmGz_Target { rule EquationGroup_Toolset_Apr17_SetResourceName { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2184,6 +2318,7 @@ rule EquationGroup_Toolset_Apr17_SetResourceName { rule EquationGroup_Toolset_Apr17_drivers_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2200,6 +2335,7 @@ rule EquationGroup_Toolset_Apr17_drivers_Implant { rule EquationGroup_Toolset_Apr17_Shares_Target { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2216,6 +2352,7 @@ rule EquationGroup_Toolset_Apr17_Shares_Target { rule EquationGroup_Toolset_Apr17_ntfltmgr { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2240,6 +2377,7 @@ rule EquationGroup_Toolset_Apr17_ntfltmgr { rule EquationGroup_Toolset_Apr17_DiBa_Target_BH { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2255,6 +2393,7 @@ rule EquationGroup_Toolset_Apr17_DiBa_Target_BH { rule EquationGroup_Toolset_Apr17_PC_LP { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2269,6 +2408,7 @@ rule EquationGroup_Toolset_Apr17_PC_LP { rule EquationGroup_Toolset_Apr17_RemoteCommand_Lp { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2283,6 +2423,7 @@ rule EquationGroup_Toolset_Apr17_RemoteCommand_Lp { rule EquationGroup_Toolset_Apr17_lp_mstcp { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2302,6 +2443,7 @@ rule EquationGroup_Toolset_Apr17_lp_mstcp { rule EquationGroup_Toolset_Apr17_renamer { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2316,6 +2458,7 @@ rule EquationGroup_Toolset_Apr17_renamer { rule EquationGroup_Toolset_Apr17_PC_Exploit { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2332,6 +2475,7 @@ rule EquationGroup_Toolset_Apr17_PC_Exploit { rule EquationGroup_Toolset_Apr17_PC_Level3_Gen { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2351,6 +2495,7 @@ rule EquationGroup_Toolset_Apr17_PC_Level3_Gen { rule EquationGroup_Toolset_Apr17_put_Implant9x { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2367,6 +2512,7 @@ rule EquationGroup_Toolset_Apr17_put_Implant9x { rule EquationGroup_Toolset_Apr17_promiscdetect_safe { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2382,6 +2528,7 @@ rule EquationGroup_Toolset_Apr17_promiscdetect_safe { rule EquationGroup_Toolset_Apr17_PacketScan_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2397,6 +2544,7 @@ rule EquationGroup_Toolset_Apr17_PacketScan_Implant { rule EquationGroup_Toolset_Apr17_SetPorts { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2411,6 +2559,7 @@ rule EquationGroup_Toolset_Apr17_SetPorts { rule EquationGroup_Toolset_Apr17_GrDo_FileScanner_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2426,6 +2575,7 @@ rule EquationGroup_Toolset_Apr17_GrDo_FileScanner_Implant { rule EquationGroup_Toolset_Apr17_msgks_mskgu { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2442,6 +2592,7 @@ rule EquationGroup_Toolset_Apr17_msgks_mskgu { rule EquationGroup_Toolset_Apr17_Ifconfig_Target { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2458,6 +2609,7 @@ rule EquationGroup_Toolset_Apr17_Ifconfig_Target { rule EquationGroup_Toolset_Apr17_DiBa_Target { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2473,6 +2625,7 @@ rule EquationGroup_Toolset_Apr17_DiBa_Target { rule EquationGroup_Toolset_Apr17_Dsz_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2487,6 +2640,7 @@ rule EquationGroup_Toolset_Apr17_Dsz_Implant { rule EquationGroup_Toolset_Apr17_GenKey { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2500,6 +2654,7 @@ rule EquationGroup_Toolset_Apr17_GenKey { rule EquationGroup_Toolset_Apr17_wmi_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2513,6 +2668,7 @@ rule EquationGroup_Toolset_Apr17_wmi_Implant { rule EquationGroup_Toolset_Apr17_clocksvc { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2533,6 +2689,7 @@ rule EquationGroup_Toolset_Apr17_clocksvc { rule EquationGroup_Toolset_Apr17_xxxRIDEAREA { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2549,6 +2706,7 @@ rule EquationGroup_Toolset_Apr17_xxxRIDEAREA { rule EquationGroup_Toolset_Apr17_yak_min_install { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2564,6 +2722,7 @@ rule EquationGroup_Toolset_Apr17_yak_min_install { rule EquationGroup_Toolset_Apr17_SetOurAddr { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2578,6 +2737,7 @@ rule EquationGroup_Toolset_Apr17_SetOurAddr { rule EquationGroup_Toolset_Apr17_GetAdmin_LSADUMP_ModifyPrivilege_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2600,6 +2760,7 @@ rule EquationGroup_Toolset_Apr17_GetAdmin_LSADUMP_ModifyPrivilege_Implant { rule EquationGroup_Toolset_Apr17_SendPKTrigger { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2613,6 +2774,7 @@ rule EquationGroup_Toolset_Apr17_SendPKTrigger { rule EquationGroup_Toolset_Apr17_DmGz_Target_2 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2630,6 +2792,7 @@ rule EquationGroup_Toolset_Apr17_DmGz_Target_2 { rule EquationGroup_Toolset_Apr17_mstcp32_DXGHLP16_tdip { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2650,6 +2813,7 @@ rule EquationGroup_Toolset_Apr17_mstcp32_DXGHLP16_tdip { rule EquationGroup_Toolset_Apr17_regprobe { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2665,6 +2829,7 @@ rule EquationGroup_Toolset_Apr17_regprobe { rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_2 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2682,6 +2847,7 @@ rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_2 { rule EquationGroup_Toolset_Apr17_GangsterThief_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2699,6 +2865,7 @@ rule EquationGroup_Toolset_Apr17_GangsterThief_Implant { rule EquationGroup_Toolset_Apr17_SetCallbackPorts { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2713,6 +2880,7 @@ rule EquationGroup_Toolset_Apr17_SetCallbackPorts { rule EquationGroup_Toolset_Apr17_DiBa_Target_BH_2000 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2727,6 +2895,7 @@ rule EquationGroup_Toolset_Apr17_DiBa_Target_BH_2000 { rule EquationGroup_Toolset_Apr17_rc5 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2743,6 +2912,7 @@ rule EquationGroup_Toolset_Apr17_rc5 { rule EquationGroup_Toolset_Apr17_PC_Level_Generic { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2773,6 +2943,7 @@ rule EquationGroup_Toolset_Apr17_PC_Level_Generic { rule EquationGroup_Toolset_Apr17_PC_Level3_http_exe { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2790,6 +2961,7 @@ rule EquationGroup_Toolset_Apr17_PC_Level3_http_exe { rule EquationGroup_Toolset_Apr17_ParseCapture { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2805,6 +2977,7 @@ rule EquationGroup_Toolset_Apr17_ParseCapture { rule EquationGroup_Toolset_Apr17_ActiveDirectory_Target { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2819,6 +2992,7 @@ rule EquationGroup_Toolset_Apr17_ActiveDirectory_Target { rule EquationGroup_Toolset_Apr17_PC_Legacy_dll { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2834,6 +3008,7 @@ rule EquationGroup_Toolset_Apr17_PC_Legacy_dll { rule EquationGroup_Toolset_Apr17_svctouch { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2847,6 +3022,7 @@ rule EquationGroup_Toolset_Apr17_svctouch { rule EquationGroup_Toolset_Apr17_pwd_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2862,6 +3038,7 @@ rule EquationGroup_Toolset_Apr17_pwd_Implant { rule EquationGroup_Toolset_Apr17_KisuComms_Target_2000 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2882,6 +3059,7 @@ rule EquationGroup_Toolset_Apr17_KisuComms_Target_2000 { rule EquationGroup_Toolset_Apr17_SlDecoder { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2896,6 +3074,7 @@ rule EquationGroup_Toolset_Apr17_SlDecoder { rule EquationGroup_Toolset_Apr17_Windows_Implant { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2909,6 +3088,7 @@ rule EquationGroup_Toolset_Apr17_Windows_Implant { rule EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2934,6 +3114,7 @@ rule EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld { rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_3 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2949,6 +3130,7 @@ rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_3 { rule EquationGroup_Toolset_Apr17_SetCallback { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2963,6 +3145,7 @@ rule EquationGroup_Toolset_Apr17_SetCallback { rule EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -2982,6 +3165,7 @@ rule EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 { rule EquationGroup_Toolset_Apr17__vtuner_vtuner_1 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3002,6 +3186,7 @@ rule EquationGroup_Toolset_Apr17__vtuner_vtuner_1 { rule EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3021,6 +3206,7 @@ rule EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2 { rule EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3044,6 +3230,7 @@ rule EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 { rule EquationGroup_Toolset_Apr17__SendCFTrigger_SendPKTrigger_6 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3060,6 +3247,7 @@ rule EquationGroup_Toolset_Apr17__SendCFTrigger_SendPKTrigger_6 { rule EquationGroup_Toolset_Apr17__AddResource { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3077,6 +3265,7 @@ rule EquationGroup_Toolset_Apr17__AddResource { rule EquationGroup_Toolset_Apr17__ESKE_RPC2_8 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3093,6 +3282,7 @@ rule EquationGroup_Toolset_Apr17__ESKE_RPC2_8 { rule EquationGroup_Toolset_Apr17__LSADUMP_Lp_ModifyPrivilege_Lp_PacketScan_Lp_put_Lp_RemoteExecute_Lp_Windows_Lp_wmi_Lp_9 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3114,6 +3304,7 @@ rule EquationGroup_Toolset_Apr17__LSADUMP_Lp_ModifyPrivilege_Lp_PacketScan_Lp_pu rule EquationGroup_Toolset_Apr17__ETBL_ETRE_10 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3131,6 +3322,7 @@ rule EquationGroup_Toolset_Apr17__ETBL_ETRE_10 { rule EquationGroup_Toolset_Apr17__ELV_ESKE_ETBL_ETRE_EVFR_11 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3150,6 +3342,7 @@ rule EquationGroup_Toolset_Apr17__ELV_ESKE_ETBL_ETRE_EVFR_11 { rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RideArea2_12 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3167,6 +3360,7 @@ rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RideArea2_12 { rule EquationGroup_Toolset_Apr17__ELV_ESKE_13 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3183,6 +3377,7 @@ rule EquationGroup_Toolset_Apr17__ELV_ESKE_13 { rule EquationGroup_Toolset_Apr17__NameProbe_SMBTOUCH_14 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3200,6 +3395,7 @@ rule EquationGroup_Toolset_Apr17__NameProbe_SMBTOUCH_14 { rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RPC2_15 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3218,6 +3414,7 @@ rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RPC2_15 { rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_16 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3239,6 +3436,7 @@ rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_16 { rule EquationGroup_Toolset_Apr17__ETBL_ETRE_SMBTOUCH_17 { meta: description = "Detects EquationGroup Tool - April Leak" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" @@ -3266,6 +3464,7 @@ rule EquationGroup_Toolset_Apr17__ETBL_ETRE_SMBTOUCH_17 { rule EquationGroup_scanner_output { meta: description = "Detects output generated by EQGRP scanner.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-04-17" diff --git a/yara/apt_eternalblue_non_wannacry.yar b/yara/apt_eternalblue_non_wannacry.yar index 82b5d89..48b4c09 100644 --- a/yara/apt_eternalblue_non_wannacry.yar +++ b/yara/apt_eternalblue_non_wannacry.yar @@ -12,6 +12,7 @@ rule Backdoor_Redosdru_Jun17 { meta: description = "Detects malware Redosdru - file systemHome.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/OOB3mH" date = "2017-06-04" @@ -36,6 +37,7 @@ rule Backdoor_Redosdru_Jun17 { rule Backdoor_Nitol_Jun17 { meta: description = "Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/OOB3mH" date = "2017-06-04" diff --git a/yara/apt_fakem_backdoor.yar b/yara/apt_fakem_backdoor.yar index ffc550d..b843c28 100644 --- a/yara/apt_fakem_backdoor.yar +++ b/yara/apt_fakem_backdoor.yar @@ -8,6 +8,7 @@ rule FakeM_Generic { meta: description = "Detects FakeM malware samples" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" date = "2016-01-25" diff --git a/yara/apt_fancybear_dnc.yar b/yara/apt_fancybear_dnc.yar index 1431dca..c4a2939 100644 --- a/yara/apt_fancybear_dnc.yar +++ b/yara/apt_fancybear_dnc.yar @@ -10,6 +10,7 @@ rule COZY_FANCY_BEAR_Hunt { meta: description = "Detects Cozy Bear / Fancy Bear C2 Server IPs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" date = "2016-06-14" @@ -28,6 +29,7 @@ rule COZY_FANCY_BEAR_Hunt { rule COZY_FANCY_BEAR_pagemgr_Hunt { meta: description = "Detects a pagemgr.exe as mentioned in the CrowdStrike report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" date = "2016-06-14" diff --git a/yara/apt_fancybear_osxagent.yar b/yara/apt_fancybear_osxagent.yar index bb68e33..6a00da4 100644 --- a/yara/apt_fancybear_osxagent.yar +++ b/yara/apt_fancybear_osxagent.yar @@ -1,6 +1,7 @@ rule MAL_OSX_FancyBear_Agent_Jul18_1 { meta: description = "Detects FancyBear Agent for OSX" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/DrunkBinary/status/1018448895054098432" date = "2018-07-15" diff --git a/yara/apt_fidelis_phishing_plain_sight.yar b/yara/apt_fidelis_phishing_plain_sight.yar index b8ee35c..67e2bd2 100644 --- a/yara/apt_fidelis_phishing_plain_sight.yar +++ b/yara/apt_fidelis_phishing_plain_sight.yar @@ -2,7 +2,8 @@ rule Fidelis_Advisory_Purchase_Order_pps { meta: description = "Detects a string found in a malicious document named Purchase_Order.pps" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://goo.gl/ZjJyti" date = "2015-06-09" strings: @@ -24,4 +25,4 @@ rule Fidelis_Advisory_cedt370 { $s3 = "Browsers.txt" ascii fullword condition: all of them -} \ No newline at end of file +} diff --git a/yara/apt_fin7.yar b/yara/apt_fin7.yar index bfd9774..a755fb3 100644 --- a/yara/apt_fin7.yar +++ b/yara/apt_fin7.yar @@ -13,6 +13,7 @@ import "pe" rule APT_FIN7_Strings_Aug18_1 { meta: description = "Detects strings from FIN7 report in August 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -30,6 +31,7 @@ rule APT_FIN7_Strings_Aug18_1 { rule APT_FIN7_Sample_Aug18_2 { meta: description = "Detects FIN7 malware sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -47,6 +49,7 @@ rule APT_FIN7_Sample_Aug18_2 { rule APT_FIN7_MalDoc_Aug18_1 { meta: description = "Detects malicious Doc from FIN7 campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -60,6 +63,7 @@ rule APT_FIN7_MalDoc_Aug18_1 { rule APT_FIN7_Sample_Aug18_1 { meta: description = "Detects FIN7 samples mentioned in FireEye report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -87,6 +91,7 @@ rule APT_FIN7_Sample_Aug18_1 { rule APT_FIN7_EXE_Sample_Aug18_1 { meta: description = "Detects sample from FIN7 report in August 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -100,6 +105,7 @@ rule APT_FIN7_EXE_Sample_Aug18_1 { rule APT_FIN7_EXE_Sample_Aug18_2 { meta: description = "Detects sample from FIN7 report in August 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -114,6 +120,7 @@ rule APT_FIN7_EXE_Sample_Aug18_2 { rule APT_FIN7_EXE_Sample_Aug18_3 { meta: description = "Detects sample from FIN7 report in August 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -128,6 +135,7 @@ rule APT_FIN7_EXE_Sample_Aug18_3 { rule APT_FIN7_EXE_Sample_Aug18_4 { meta: description = "Detects sample from FIN7 report in August 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -143,6 +151,7 @@ rule APT_FIN7_EXE_Sample_Aug18_4 { rule APT_FIN7_EXE_Sample_Aug18_5 { meta: description = "Detects sample from FIN7 report in August 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -158,6 +167,7 @@ rule APT_FIN7_EXE_Sample_Aug18_5 { rule APT_FIN7_EXE_Sample_Aug18_6 { meta: description = "Detects sample from FIN7 report in August 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -181,6 +191,7 @@ rule APT_FIN7_EXE_Sample_Aug18_6 { rule APT_FIN7_EXE_Sample_Aug18_7 { meta: description = "Detects sample from FIN7 report in August 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -195,6 +206,7 @@ rule APT_FIN7_EXE_Sample_Aug18_7 { rule APT_FIN7_EXE_Sample_Aug18_8 { meta: description = "Detects sample from FIN7 report in August 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -208,6 +220,7 @@ rule APT_FIN7_EXE_Sample_Aug18_8 { rule APT_FIN7_EXE_Sample_Aug18_10 { meta: description = "Detects sample from FIN7 report in August 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" @@ -225,6 +238,7 @@ rule APT_FIN7_EXE_Sample_Aug18_10 { rule APT_FIN7_Sample_EXE_Aug18_1 { meta: description = "Detects FIN7 Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" date = "2018-08-01" diff --git a/yara/apt_fin7_backdoor.yar b/yara/apt_fin7_backdoor.yar index 0830db3..b0c87cf 100644 --- a/yara/apt_fin7_backdoor.yar +++ b/yara/apt_fin7_backdoor.yar @@ -12,6 +12,7 @@ rule FIN7_Dropper_Aug17 { meta: description = "Detects Word Dropper from Proofpoint FIN7 Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" date = "2017-08-04" @@ -68,4 +69,4 @@ rule FIN7_Backdoor_Aug17 { 3 of ($c*) ) ) or 5 of them -} \ No newline at end of file +} diff --git a/yara/apt_foudre.yar b/yara/apt_foudre.yar index a99af77..1e90ff7 100644 --- a/yara/apt_foudre.yar +++ b/yara/apt_foudre.yar @@ -13,6 +13,7 @@ import "pe" rule Foudre_Backdoor_1 { meta: description = "Detects Foudre Backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" @@ -29,6 +30,7 @@ rule Foudre_Backdoor_1 { rule Foudre_Backdoor_Dropper_1 { meta: description = "Detects Foudre Backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" @@ -49,6 +51,7 @@ rule Foudre_Backdoor_Dropper_1 { rule Foudre_Backdoor_Component_1 { meta: description = "Detects Foudre Backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" @@ -70,6 +73,7 @@ rule Foudre_Backdoor_Component_1 { rule Foudre_Backdoor_SFX { meta: description = "Detects Foudre Backdoor SFX" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" diff --git a/yara/apt_four_element_sword.yar b/yara/apt_four_element_sword.yar index 96b551b..fa16462 100644 --- a/yara/apt_four_element_sword.yar +++ b/yara/apt_four_element_sword.yar @@ -11,6 +11,7 @@ rule FourElementSword_Config_File { meta: description = "Detects FourElementSword Malware - file f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/" date = "2016-04-18" @@ -28,6 +29,7 @@ rule FourElementSword_Config_File { rule FourElementSword_T9000 { meta: description = "Detects FourElementSword Malware - file 5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/" date = "2016-04-18" @@ -47,6 +49,7 @@ rule FourElementSword_T9000 { rule FourElementSword_32DLL { meta: description = "Detects FourElementSword Malware - file 7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/" date = "2016-04-18" @@ -64,6 +67,7 @@ rule FourElementSword_32DLL { rule FourElementSword_Keyainst_EXE { meta: description = "Detects FourElementSword Malware - file cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/" date = "2016-04-18" @@ -81,6 +85,7 @@ rule FourElementSword_Keyainst_EXE { rule FourElementSword_ElevateDLL_2 { meta: description = "Detects FourElementSword Malware - file 9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/" date = "2016-04-18" @@ -96,6 +101,7 @@ rule FourElementSword_ElevateDLL_2 { rule FourElementSword_fslapi_dll_gui { meta: description = "Detects FourElementSword Malware - file 2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/" date = "2016-04-18" @@ -111,6 +117,7 @@ rule FourElementSword_fslapi_dll_gui { rule FourElementSword_PowerShell_Start { meta: description = "Detects FourElementSword Malware - file 9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/" date = "2016-04-18" @@ -125,6 +132,7 @@ rule FourElementSword_PowerShell_Start { rule FourElementSword_ResN32DLL { meta: description = "Detects FourElementSword Malware - file bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/" date = "2016-04-18" @@ -142,6 +150,7 @@ rule FourElementSword_ResN32DLL { rule FourElementSword_ElevateDLL { meta: description = "Detects FourElementSword Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/" date = "2016-04-18" diff --git a/yara/apt_freemilk.yar b/yara/apt_freemilk.yar index fdccced..c2bcb9c 100644 --- a/yara/apt_freemilk.yar +++ b/yara/apt_freemilk.yar @@ -13,6 +13,7 @@ import "pe" rule FreeMilk_APT_Mal_1 { meta: description = "Detects malware from FreeMilk campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/" date = "2017-10-05" @@ -39,6 +40,7 @@ rule FreeMilk_APT_Mal_1 { rule FreeMilk_APT_Mal_2 { meta: description = "Detects malware from FreeMilk campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/" date = "2017-10-05" @@ -58,6 +60,7 @@ rule FreeMilk_APT_Mal_2 { rule FreeMilk_APT_Mal_3 { meta: description = "Detects malware from FreeMilk campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/" date = "2017-10-05" @@ -74,6 +77,7 @@ rule FreeMilk_APT_Mal_3 { rule FreeMilk_APT_Mal_4 { meta: description = "Detects malware from FreeMilk campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/" date = "2017-10-05" diff --git a/yara/apt_furtim.yar b/yara/apt_furtim.yar index 45eb906..24761ae 100644 --- a/yara/apt_furtim.yar +++ b/yara/apt_furtim.yar @@ -8,6 +8,7 @@ rule Furtim_nativeDLL { meta: description = "Detects Furtim malware - file native.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "MISP 3971" date = "2016-06-13" @@ -32,6 +33,7 @@ rule Furtim_nativeDLL { rule Furtim_Parent_1 { meta: description = "Detects Furtim Parent Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://sentinelone.com/blogs/sfg-furtims-parent/" date = "2016-07-16" diff --git a/yara/apt_fvey_shadowbroker_dec16.yar b/yara/apt_fvey_shadowbroker_dec16.yar index ea94bdb..dba5dff 100644 --- a/yara/apt_fvey_shadowbroker_dec16.yar +++ b/yara/apt_fvey_shadowbroker_dec16.yar @@ -72,6 +72,7 @@ rule FVEY_ShadowBroker_Auct_Dez16_Strings { rule FVEY_ShadowBroker_violetspirit { meta: description = "Auto-generated rule - file violetspirit.README" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -85,6 +86,7 @@ rule FVEY_ShadowBroker_violetspirit { rule FVEY_ShadowBroker_gr_gr { meta: description = "Auto-generated rule - file gr.notes" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -98,6 +100,7 @@ rule FVEY_ShadowBroker_gr_gr { rule FVEY_ShadowBroker_user_tool_yellowspirit { meta: description = "Auto-generated rule - file user.tool.yellowspirit.COMMON" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -112,6 +115,7 @@ rule FVEY_ShadowBroker_user_tool_yellowspirit { rule FVEY_ShadowBroker_eleganteagle_opscript_1_0_0 { meta: description = "Auto-generated rule - file eleganteagle_opscript.1.0.0.6" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -125,6 +129,7 @@ rule FVEY_ShadowBroker_eleganteagle_opscript_1_0_0 { rule FVEY_ShadowBroker_opscript { meta: description = "Auto-generated rule - file opscript.se" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -138,6 +143,7 @@ rule FVEY_ShadowBroker_opscript { rule FVEY_ShadowBroker_user_tool_shentysdelight { meta: description = "Auto-generated rule - file user.tool.shentysdelight.COMMON" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -151,6 +157,7 @@ rule FVEY_ShadowBroker_user_tool_shentysdelight { rule FVEY_ShadowBroker_user_tool_epichero { meta: description = "Auto-generated rule - file user.tool.epichero.COMMON" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -165,6 +172,7 @@ rule FVEY_ShadowBroker_user_tool_epichero { rule FVEY_ShadowBroker_user_tool { meta: description = "Auto-generated rule - file user.tool.elatedmonkey" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -178,6 +186,7 @@ rule FVEY_ShadowBroker_user_tool { rule FVEY_ShadowBroker_user_tool_dubmoat { meta: description = "Auto-generated rule - file user.tool.dubmoat.COMMON" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -192,6 +201,7 @@ rule FVEY_ShadowBroker_user_tool_dubmoat { rule FVEY_ShadowBroker_strifeworld { meta: description = "Auto-generated rule - file strifeworld.1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -206,6 +216,7 @@ rule FVEY_ShadowBroker_strifeworld { rule FVEY_ShadowBroker_user_tool_pork { meta: description = "Auto-generated rule - file user.tool.pork.COMMON" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -221,6 +232,7 @@ rule FVEY_ShadowBroker_user_tool_pork { rule FVEY_ShadowBroker_user_tool_ebbisland { meta: description = "Auto-generated rule - file user.tool.ebbisland.COMMON" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -235,6 +247,7 @@ rule FVEY_ShadowBroker_user_tool_ebbisland { rule FVEY_ShadowBroker_user_tool_stoicsurgeon { meta: description = "Auto-generated rule - file user.tool.stoicsurgeon.COMMON" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -248,6 +261,7 @@ rule FVEY_ShadowBroker_user_tool_stoicsurgeon { rule FVEY_ShadowBroker_user_tool_elgingamble { meta: description = "Auto-generated rule - file user.tool.elgingamble.COMMON" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -261,6 +275,7 @@ rule FVEY_ShadowBroker_user_tool_elgingamble { rule FVEY_ShadowBroker_README_cup { meta: description = "Auto-generated rule - file README.cup.NOPEN" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -275,6 +290,7 @@ rule FVEY_ShadowBroker_README_cup { rule FVEY_ShadowBroker_nopen_oneshot { meta: description = "Auto-generated rule - file oneshot.example" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -288,6 +304,7 @@ rule FVEY_ShadowBroker_nopen_oneshot { rule FVEY_ShadowBroker_user_tool_earlyshovel { meta: description = "Auto-generated rule - file user.tool.earlyshovel.COMMON" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -301,6 +318,7 @@ rule FVEY_ShadowBroker_user_tool_earlyshovel { rule FVEY_ShadowBroker_user_tool_envisioncollision { meta: description = "Auto-generated rule - file user.tool.envisioncollision.COMMON" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -319,6 +337,7 @@ rule FVEY_ShadowBroker_user_tool_envisioncollision { rule FVEY_ShadowBroker_Gen_Readme1 { meta: description = "Auto-generated rule" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -335,6 +354,7 @@ rule FVEY_ShadowBroker_Gen_Readme1 { rule FVEY_ShadowBroker_Gen_Readme2 { meta: description = "Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -350,6 +370,7 @@ rule FVEY_ShadowBroker_Gen_Readme2 { rule FVEY_ShadowBroker_Gen_Readme3 { meta: description = "Auto-generated rule" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" @@ -370,6 +391,7 @@ rule FVEY_ShadowBroker_Gen_Readme3 { rule FVEY_ShadowBroker_Gen_Readme4 { meta: description = "Auto-generated rule - from files violetspirit.README, violetspirit.README" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/" date = "2016-12-17" diff --git a/yara/apt_fvey_shadowbroker_jan17.yar b/yara/apt_fvey_shadowbroker_jan17.yar index eb0ff87..f29330e 100644 --- a/yara/apt_fvey_shadowbroker_jan17.yar +++ b/yara/apt_fvey_shadowbroker_jan17.yar @@ -10,6 +10,7 @@ rule FVEY_ShadowBrokers_Jan17_Screen_Strings { meta: description = "Detects strings derived from the ShadowBroker's leak of Windows tools/exploits" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message7/" date = "2017-01-08" diff --git a/yara/apt_ghostdragon_gh0st_rat.yar b/yara/apt_ghostdragon_gh0st_rat.yar index 5ff74a2..5ee7d90 100644 --- a/yara/apt_ghostdragon_gh0st_rat.yar +++ b/yara/apt_ghostdragon_gh0st_rat.yar @@ -8,6 +8,7 @@ rule GhostDragon_Gh0stRAT { meta: description = "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/the-ghost-dragon" date = "2016-04-23" @@ -53,6 +54,7 @@ rule GhostDragon_Gh0stRAT { rule GhostDragon_Gh0stRAT_Sample2 { meta: description = "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/the-ghost-dragon" date = "2016-04-23" @@ -74,6 +76,7 @@ rule GhostDragon_Gh0stRAT_Sample2 { rule GhostDragon_Gh0stRAT_Sample3 { meta: description = "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/the-ghost-dragon" date = "2016-04-23" diff --git a/yara/apt_glassRAT.yar b/yara/apt_glassRAT.yar index a1f0add..fd29f7d 100644 --- a/yara/apt_glassRAT.yar +++ b/yara/apt_glassRAT.yar @@ -44,6 +44,7 @@ rule glassRAT rule GlassRAT_Generic { meta: description = "Detects GlassRAT Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blogs.rsa.com/peering-into-glassrat/" date = "2015-11-23" diff --git a/yara/apt_golddragon.yar b/yara/apt_golddragon.yar index dd664ed..9fb3d4b 100644 --- a/yara/apt_golddragon.yar +++ b/yara/apt_golddragon.yar @@ -13,6 +13,7 @@ import "pe" rule GoldDragon_malware_Feb18_1 { meta: description = "Detects malware from Gold Dragon report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" date = "2018-02-03" @@ -29,6 +30,7 @@ rule GoldDragon_malware_Feb18_1 { rule GoldDragon_Aux_File { meta: description = "Detects export from Gold Dragon - February 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" date = "2018-02-03" @@ -42,6 +44,7 @@ rule GoldDragon_Aux_File { rule GoldDragon_Ghost419_RAT { meta: description = "Detects Ghost419 RAT from Gold Dragon report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/rW1yvZ" date = "2018-02-03" @@ -82,6 +85,7 @@ rule GoldDragon_Ghost419_RAT { rule GoldDragon_RunningRAT { meta: description = "Detects Running RAT from Gold Dragon report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/rW1yvZ" date = "2018-02-03" @@ -122,6 +126,7 @@ rule GoldDragon_RunningRAT { rule GoldDragon_RunnignRAT { meta: description = "Detects Running RAT malware from Gold Dragon report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/rW1yvZ" date = "2018-02-03" diff --git a/yara/apt_greenbug.yar b/yara/apt_greenbug.yar index 0137cc1..325cb92 100644 --- a/yara/apt_greenbug.yar +++ b/yara/apt_greenbug.yar @@ -12,6 +12,7 @@ import "pe" rule Greenbug_Malware_1 { meta: description = "Detects Malware from Greenbug Incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/urp4CD" date = "2017-01-25" @@ -26,6 +27,7 @@ rule Greenbug_Malware_1 { rule Greenbug_Malware_2 { meta: description = "Detects Backdoor from Greenbug Incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/urp4CD" date = "2017-01-25" @@ -52,6 +54,7 @@ rule Greenbug_Malware_2 { rule Greenbug_Malware_3 { meta: description = "Detects Backdoor from Greenbug Incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/urp4CD" date = "2017-01-25" @@ -69,6 +72,7 @@ rule Greenbug_Malware_3 { rule Greenbug_Malware_4 { meta: description = "Detects ISMDoor Backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/urp4CD" date = "2017-01-25" @@ -95,6 +99,7 @@ rule Greenbug_Malware_4 { rule Greenbug_Malware_5 { meta: description = "Auto-generated rule" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/urp4CD" date = "2017-01-25" @@ -130,6 +135,7 @@ rule Greenbug_Malware_5 { rule Greenbug_Malware_Nov17_1 { meta: description = "Detects Greenbug Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/greenbug/" date = "2017-11-26" diff --git a/yara/apt_grizzlybear_uscert.yar b/yara/apt_grizzlybear_uscert.yar index 3548c23..5718090 100644 --- a/yara/apt_grizzlybear_uscert.yar +++ b/yara/apt_grizzlybear_uscert.yar @@ -842,6 +842,7 @@ rule IMPLANT_4_v3_AlternativeRule { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" comment = "Alternative rule - not based on the original samples but samples on which the original rule matched" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "US CERT Grizzly Steppe Report" date = "2017-02-12" diff --git a/yara/apt_hackingteam_rules.yar b/yara/apt_hackingteam_rules.yar index 7472023..4cead38 100644 --- a/yara/apt_hackingteam_rules.yar +++ b/yara/apt_hackingteam_rules.yar @@ -10,6 +10,7 @@ rule bin_ndisk { meta: description = "Hacking Team Disclosure Sample - file ndisk.sys" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/" date = "2015-07-07" @@ -31,6 +32,7 @@ rule bin_ndisk { rule Hackingteam_Elevator_DLL { meta: description = "Hacking Team Disclosure Sample - file elevator.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://t.co/EG0qtVcKLh" date = "2015-07-07" @@ -54,6 +56,7 @@ rule Hackingteam_Elevator_DLL { rule HackingTeam_Elevator_EXE { meta: description = "Hacking Team Disclosure Sample - file elevator.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Hacking Team Disclosure elevator.c" date = "2015-07-07" diff --git a/yara/apt_hidden_cobra.yar b/yara/apt_hidden_cobra.yar index 27b7761..2a0b50c 100644 --- a/yara/apt_hidden_cobra.yar +++ b/yara/apt_hidden_cobra.yar @@ -85,6 +85,7 @@ import "pe" rule APT_HiddenCobra_GhostSecret_1 { meta: description = "Detects Hidden Cobra Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" date = "2018-08-11" @@ -99,6 +100,7 @@ rule APT_HiddenCobra_GhostSecret_1 { rule APT_HiddenCobra_GhostSecret_2 { meta: description = "Detects Hidden Cobra Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" date = "2018-08-11" diff --git a/yara/apt_hiddencobra_bankshot.yar b/yara/apt_hiddencobra_bankshot.yar index 5ade2f8..7ef82fd 100644 --- a/yara/apt_hiddencobra_bankshot.yar +++ b/yara/apt_hiddencobra_bankshot.yar @@ -11,6 +11,7 @@ rule HiddenCobra_BANKSHOT_Gen { meta: description = "Detects Hidden Cobra BANKSHOT trojan" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity" date = "2017-12-26" diff --git a/yara/apt_icefog.yar b/yara/apt_icefog.yar index d88f558..f5993ee 100644 --- a/yara/apt_icefog.yar +++ b/yara/apt_icefog.yar @@ -11,6 +11,7 @@ rule IceFog_Malware_Feb18_1 { meta: description = "Detects IceFog malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/ClearskySec/status/968104465818669057" date = "2018-02-26" diff --git a/yara/apt_indetectables_rat.yar b/yara/apt_indetectables_rat.yar index 190f048..6a7d957 100644 --- a/yara/apt_indetectables_rat.yar +++ b/yara/apt_indetectables_rat.yar @@ -8,6 +8,7 @@ rule Indetectables_RAT { meta: description = "Detects Indetectables RAT based on strings found in research by Paul Rascagneres & Ronan Mouchoux" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/" date = "2015-10-01" @@ -33,6 +34,7 @@ rule Indetectables_RAT { rule BergSilva_Malware { meta: description = "Detects a malware from the same author as the Indetectables RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-10-01" super_rule = 1 diff --git a/yara/apt_industroyer.yar b/yara/apt_industroyer.yar index f8755da..93bde99 100644 --- a/yara/apt_industroyer.yar +++ b/yara/apt_industroyer.yar @@ -12,6 +12,7 @@ rule Industroyer_Malware_1 { meta: description = "Detects Industroyer related malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" @@ -37,6 +38,7 @@ rule Industroyer_Malware_1 { rule Industroyer_Malware_2 { meta: description = "Detects Industroyer related malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" @@ -75,6 +77,7 @@ rule Industroyer_Malware_2 { rule Industroyer_Portscan_3 { meta: description = "Detects Industroyer related custom port scaner" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" @@ -96,6 +99,7 @@ rule Industroyer_Portscan_3 { rule Industroyer_Portscan_3_Output { meta: description = "Detects Industroyer related custom port scaner output file" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" @@ -109,6 +113,7 @@ rule Industroyer_Portscan_3_Output { rule Industroyer_Malware_4 { meta: description = "Detects Industroyer related malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" @@ -126,6 +131,7 @@ rule Industroyer_Malware_4 { rule Industroyer_Malware_5 { meta: description = "Detects Industroyer related malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" diff --git a/yara/apt_irongate.yar b/yara/apt_irongate.yar index 010e1f7..699e61c 100644 --- a/yara/apt_irongate.yar +++ b/yara/apt_irongate.yar @@ -10,6 +10,7 @@ rule IronGate_APT_Step7ProSim_Gen { meta: description = "Detects IronGate APT Malware - Step7ProSim DLL" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/Mr6M2J" date = "2016-06-04" @@ -40,6 +41,7 @@ rule IronGate_APT_Step7ProSim_Gen { rule IronGate_PyInstaller_update_EXE { meta: description = "Detects a PyInstaller file named update.exe as mentioned in the IronGate APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/Mr6M2J" date = "2016-06-04" @@ -63,6 +65,7 @@ rule IronGate_PyInstaller_update_EXE { rule Nirsoft_NetResView { meta: description = "Detects NirSoft NetResView - utility that displays the list of all network resources" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/Mr6M2J" date = "2016-06-04" diff --git a/yara/apt_irontiger.yar b/yara/apt_irontiger.yar index e210d5c..f0b746c 100644 --- a/yara/apt_irontiger.yar +++ b/yara/apt_irontiger.yar @@ -10,6 +10,7 @@ rule IronPanda_DNSTunClient { meta: description = "Iron Panda malware DnsTunClient - file named.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" @@ -36,6 +37,7 @@ rule IronPanda_DNSTunClient { rule IronPanda_Malware1 { meta: description = "Iron Panda Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" @@ -53,6 +55,7 @@ rule IronPanda_Malware1 { rule IronPanda_Webshell_JSP { meta: description = "Iron Panda Malware JSP" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" @@ -68,6 +71,7 @@ rule IronPanda_Webshell_JSP { rule IronPanda_Malware_Htran { meta: description = "Iron Panda Malware Htran" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" @@ -96,6 +100,7 @@ rule IronPanda_Malware_Htran { rule IronPanda_Malware2 { meta: description = "Iron Panda Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" @@ -113,6 +118,7 @@ rule IronPanda_Malware2 { rule IronPanda_Malware3 { meta: description = "Iron Panda Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" @@ -131,6 +137,7 @@ rule IronPanda_Malware3 { rule IronPanda_Malware4 { meta: description = "Iron Panda Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" diff --git a/yara/apt_kaspersky_duqu2.yar b/yara/apt_kaspersky_duqu2.yar index 37f14d6..7d37f58 100644 --- a/yara/apt_kaspersky_duqu2.yar +++ b/yara/apt_kaspersky_duqu2.yar @@ -59,6 +59,7 @@ rule apt_duqu2_drivers { rule Duqu2_Generic1 { meta: description = "Kaspersky APT Report - Duqu2 Sample - Generic Rule" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/7yKyOj" date = "2015-06-10" @@ -88,6 +89,7 @@ rule Duqu2_Generic1 { rule APT_Kaspersky_Duqu2_procexp { meta: description = "Kaspersky APT Report - Duqu2 Sample - Malicious MSI" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/7yKyOj" date = "2015-06-10" @@ -110,6 +112,7 @@ rule APT_Kaspersky_Duqu2_procexp { rule APT_Kaspersky_Duqu2_SamsungPrint { meta: description = "Kaspersky APT Report - Duqu2 Sample - file 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/7yKyOj" date = "2015-06-10" @@ -128,6 +131,7 @@ rule APT_Kaspersky_Duqu2_SamsungPrint { rule APT_Kaspersky_Duqu2_msi3_32 { meta: description = "Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/7yKyOj" date = "2015-06-10" diff --git a/yara/apt_keyboys.yar b/yara/apt_keyboys.yar index 165b110..389a11b 100644 --- a/yara/apt_keyboys.yar +++ b/yara/apt_keyboys.yar @@ -13,6 +13,7 @@ import "pe" rule KeyBoys_malware_1 { meta: description = "Detects Keyboys malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html" date = "2017-11-02" diff --git a/yara/apt_keylogger_cn.yar b/yara/apt_keylogger_cn.yar index 018b7a9..796eb04 100644 --- a/yara/apt_keylogger_cn.yar +++ b/yara/apt_keylogger_cn.yar @@ -8,6 +8,7 @@ rule Keylogger_CN_APT { meta: description = "Keylogger - generic rule for a Chinese variant" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2016-03-07" score = 75 diff --git a/yara/apt_khrat.yar b/yara/apt_khrat.yar index 95a2069..39aed93 100644 --- a/yara/apt_khrat.yar +++ b/yara/apt_khrat.yar @@ -13,6 +13,7 @@ import "pe" rule KHRAT_Malware { meta: description = "Detects an Imphash of KHRAT malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" date = "2017-08-31" @@ -24,6 +25,7 @@ rule KHRAT_Malware { rule MAL_KHRAT_script { meta: description = "Rule derived from KHRAT script but can match on other malicious scripts as well" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" date = "2017-08-31" @@ -39,6 +41,7 @@ rule MAL_KHRAT_script { rule MAL_KHRAT_scritplet { meta: description = "Rule derived from KHRAT scriptlet" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" date = "2017-08-31" diff --git a/yara/apt_korplug_fast.yar b/yara/apt_korplug_fast.yar index d869254..7236203 100644 --- a/yara/apt_korplug_fast.yar +++ b/yara/apt_korplug_fast.yar @@ -1,7 +1,8 @@ rule Korplug_FAST { meta: description = "Rule to detect Korplug/PlugX FAST variant" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" date = "2015-08-20" hash = "c437465db42268332543fbf6fd6a560ca010f19e0fd56562fb83fb704824b371" strings: diff --git a/yara/apt_laudanum_webshells.yar b/yara/apt_laudanum_webshells.yar index 9b79d41..a5a0d0d 100644 --- a/yara/apt_laudanum_webshells.yar +++ b/yara/apt_laudanum_webshells.yar @@ -8,6 +8,7 @@ rule asp_file { meta: description = "Laudanum Injector Tools - file file.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -26,6 +27,7 @@ rule asp_file { rule php_killnc { meta: description = "Laudanum Injector Tools - file killnc.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -43,6 +45,7 @@ rule php_killnc { rule asp_shell { meta: description = "Laudanum Injector Tools - file shell.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -62,6 +65,7 @@ rule asp_shell { rule settings { meta: description = "Laudanum Injector Tools - file settings.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -77,6 +81,7 @@ rule settings { rule asp_proxy { meta: description = "Laudanum Injector Tools - file proxy.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -95,6 +100,7 @@ rule asp_proxy { rule cfm_shell { meta: description = "Laudanum Injector Tools - file shell.cfm" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -110,6 +116,7 @@ rule cfm_shell { rule aspx_shell { meta: description = "Laudanum Injector Tools - file shell.aspx" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -126,6 +133,7 @@ rule aspx_shell { rule php_shell { meta: description = "Laudanum Injector Tools - file shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -142,6 +150,7 @@ rule php_shell { rule php_reverse_shell { meta: description = "Laudanum Injector Tools - file php-reverse-shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -157,6 +166,7 @@ rule php_reverse_shell { rule php_dns { meta: description = "Laudanum Injector Tools - file dns.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -173,6 +183,7 @@ rule php_dns { rule WEB_INF_web { meta: description = "Laudanum Injector Tools - file web.xml" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -187,6 +198,7 @@ rule WEB_INF_web { rule jsp_cmd { meta: description = "Laudanum Injector Tools - file cmd.war" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -204,6 +216,7 @@ rule jsp_cmd { rule laudanum { meta: description = "Laudanum Injector Tools - file laudanum.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -218,6 +231,7 @@ rule laudanum { rule php_file { meta: description = "Laudanum Injector Tools - file file.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -234,6 +248,7 @@ rule php_file { rule warfiles_cmd { meta: description = "Laudanum Injector Tools - file cmd.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -250,6 +265,7 @@ rule warfiles_cmd { rule asp_dns { meta: description = "Laudanum Injector Tools - file dns.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -266,6 +282,7 @@ rule asp_dns { rule php_reverse_shell_2 { meta: description = "Laudanum Injector Tools - file php-reverse-shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" @@ -280,6 +297,7 @@ rule php_reverse_shell_2 { rule Laudanum_Tools_Generic { meta: description = "Laudanum Injector Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" diff --git a/yara/apt_lazarus_applejeus.yar b/yara/apt_lazarus_applejeus.yar index 14bd443..caa0bb9 100644 --- a/yara/apt_lazarus_applejeus.yar +++ b/yara/apt_lazarus_applejeus.yar @@ -13,6 +13,7 @@ import "pe" rule APT_Lazarus_Aug18_Downloader_1 { meta: description = "Detects Lazarus Group Malware Downloadery" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/operation-applejeus/87553/" date = "2018-08-24" @@ -37,6 +38,7 @@ rule APT_Lazarus_Aug18_Downloader_1 { rule APT_Lazarus_Aug18_1 { meta: description = "Detects Lazarus Group Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/operation-applejeus/87553/" date = "2018-08-24" @@ -58,6 +60,7 @@ rule APT_Lazarus_Aug18_1 { rule APT_Lazarus_Aug18_2 { meta: description = "Detects Lazarus Group Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/operation-applejeus/87553/" date = "2018-08-24" @@ -77,6 +80,7 @@ rule APT_Lazarus_Aug18_2 { rule APT_FallChill_RC4_Keys { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Detects FallChill RC4 keys" reference = "https://securelist.com/operation-applejeus/87553/" diff --git a/yara/apt_lazarus_dec17.yar b/yara/apt_lazarus_dec17.yar index 399d4e6..0ac1196 100644 --- a/yara/apt_lazarus_dec17.yar +++ b/yara/apt_lazarus_dec17.yar @@ -12,6 +12,7 @@ rule Lazarus_Dec_17_1 { meta: description = "Detects Lazarus malware from incident in Dec 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/8U6fY2" date = "2017-12-20" @@ -29,6 +30,7 @@ rule Lazarus_Dec_17_1 { rule Lazarus_Dec_17_2 { meta: description = "Detects Lazarus malware from incident in Dec 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/8U6fY2" date = "2017-12-20" @@ -49,6 +51,7 @@ rule Lazarus_Dec_17_2 { rule Lazarus_Dec_17_4 { meta: description = "Detects Lazarus malware from incident in Dec 2017ithumb.js" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/8U6fY2" date = "2017-12-20" @@ -63,6 +66,7 @@ rule Lazarus_Dec_17_4 { rule Lazarus_Dec_17_5 { meta: description = "Detects Lazarus malware from incident in Dec 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/8U6fY2" date = "2017-12-20" diff --git a/yara/apt_lazarus_jun18.yar b/yara/apt_lazarus_jun18.yar index 4cf8ce0..646317c 100644 --- a/yara/apt_lazarus_jun18.yar +++ b/yara/apt_lazarus_jun18.yar @@ -13,6 +13,7 @@ import "pe" rule APT_Lazarus_Dropper_Jun18_1 { meta: description = "Detects Lazarus Group Dropper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/DrunkBinary/status/1002587521073721346" date = "2018-06-01" @@ -32,6 +33,7 @@ rule APT_Lazarus_Dropper_Jun18_1 { rule APT_Lazarus_RAT_Jun18_1 { meta: description = "Detects Lazarus Group RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/DrunkBinary/status/1002587521073721346" date = "2018-06-01" @@ -64,6 +66,7 @@ rule APT_Lazarus_RAT_Jun18_1 { rule APT_Lazarus_RAT_Jun18_2 { meta: description = "Detects Lazarus Group RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/DrunkBinary/status/1002587521073721346" date = "2018-06-01" diff --git a/yara/apt_leviathan.yar b/yara/apt_leviathan.yar index a48a47d..5a7d52b 100644 --- a/yara/apt_leviathan.yar +++ b/yara/apt_leviathan.yar @@ -11,6 +11,7 @@ rule SeDLL_Javascript_Decryptor { meta: description = "Detects SeDll - DLL is used for decrypting and executing another JavaScript backdoor such as Orz" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/MZ7dRg" date = "2017-10-18" @@ -31,6 +32,7 @@ rule SeDLL_Javascript_Decryptor { rule Leviathan_CobaltStrike_Sample_1 { meta: description = "Detects Cobalt Strike sample from Leviathan report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/MZ7dRg" date = "2017-10-18" @@ -53,6 +55,7 @@ rule Leviathan_CobaltStrike_Sample_1 { rule MockDll_Gen { meta: description = "Detects MockDll - regsvr DLL loader" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/MZ7dRg" date = "2017-10-18" @@ -71,6 +74,7 @@ rule MockDll_Gen { rule VBScript_Favicon_File { meta: description = "VBScript cloaked as Favicon file used in Leviathan incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/MZ7dRg" date = "2017-10-18" diff --git a/yara/apt_lotusblossom_elise.yar b/yara/apt_lotusblossom_elise.yar index 1b363ac..1f76d8d 100644 --- a/yara/apt_lotusblossom_elise.yar +++ b/yara/apt_lotusblossom_elise.yar @@ -13,6 +13,7 @@ import "pe" rule Elise_Jan18_1 { meta: description = "Detects Elise malware samples - fake Norton Security NavShExt.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/blu3_team/status/955971742329135105" date = "2018-01-24" diff --git a/yara/apt_magichound.yar b/yara/apt_magichound.yar index 69b6fa3..e9ca0a6 100644 --- a/yara/apt_magichound.yar +++ b/yara/apt_magichound.yar @@ -10,6 +10,7 @@ rule APT_PupyRAT_PY { meta: description = "Detects Pupy RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" date = "2017-02-17" @@ -31,6 +32,7 @@ rule APT_PupyRAT_PY { rule APT_MagicHound_MalMacro { meta: description = "Detects malicious macro / powershell in Office document" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" date = "2017-02-17" diff --git a/yara/apt_microcin.yar b/yara/apt_microcin.yar index 834108d..cfe90b5 100644 --- a/yara/apt_microcin.yar +++ b/yara/apt_microcin.yar @@ -13,6 +13,7 @@ import "pe" rule Microcin_Sample_1 { meta: description = "Malware sample mentioned in Microcin technical report by Kaspersky" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf" date = "2017-09-26" @@ -36,6 +37,7 @@ rule Microcin_Sample_1 { rule Microcin_Sample_2 { meta: description = "Malware sample mentioned in Microcin technical report by Kaspersky" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf" date = "2017-09-26" @@ -50,6 +52,7 @@ rule Microcin_Sample_2 { rule Microcin_Sample_3 { meta: description = "Malware sample mentioned in Microcin technical report by Kaspersky" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf" date = "2017-09-26" @@ -64,6 +67,7 @@ rule Microcin_Sample_3 { rule Microcin_Sample_4 { meta: description = "Malware sample mentioned in Microcin technical report by Kaspersky" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf" date = "2017-09-26" @@ -84,6 +88,7 @@ rule Microcin_Sample_4 { rule Microcin_Sample_5 { meta: description = "Malware sample mentioned in Microcin technical report by Kaspersky" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf" date = "2017-09-26" @@ -102,6 +107,7 @@ rule Microcin_Sample_5 { rule Microcin_Sample_6 { meta: description = "Malware sample mentioned in Microcin technical report by Kaspersky" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf" date = "2017-09-26" diff --git a/yara/apt_middle_east_talosreport.yar b/yara/apt_middle_east_talosreport.yar index e812030..e1cda98 100644 --- a/yara/apt_middle_east_talosreport.yar +++ b/yara/apt_middle_east_talosreport.yar @@ -13,6 +13,7 @@ import "pe" rule ME_Campaign_Malware_1 { meta: description = "Detects malware from Middle Eastern campaign reported by Talos" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html" date = "2018-02-07" @@ -26,6 +27,7 @@ rule ME_Campaign_Malware_1 { rule ME_Campaign_Malware_2 { meta: description = "Detects malware from Middle Eastern campaign reported by Talos" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html" date = "2018-02-07" @@ -46,6 +48,7 @@ rule ME_Campaign_Malware_2 { rule ME_Campaign_Malware_3 { meta: description = "Detects malware from Middle Eastern campaign reported by Talos" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html" date = "2018-02-07" @@ -62,6 +65,7 @@ rule ME_Campaign_Malware_3 { rule ME_Campaign_Malware_4 { meta: description = "Detects malware from Middle Eastern campaign reported by Talos" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html" date = "2018-02-07" @@ -73,6 +77,7 @@ rule ME_Campaign_Malware_4 { rule ME_Campaign_Malware_5 { meta: description = "Detects malware from Middle Eastern campaign reported by Talos" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html" date = "2018-02-07" diff --git a/yara/apt_miniasp.yar b/yara/apt_miniasp.yar index 7be1499..6059157 100644 --- a/yara/apt_miniasp.yar +++ b/yara/apt_miniasp.yar @@ -2,6 +2,7 @@ rule APT_Malware_CommentCrew_MiniASP { meta: description = "CommentCrew Malware MiniASP APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VT Analysis" date = "2015-06-03" diff --git a/yara/apt_minidionis.yar b/yara/apt_minidionis.yar index f575f4d..f9d7866 100644 --- a/yara/apt_minidionis.yar +++ b/yara/apt_minidionis.yar @@ -10,6 +10,7 @@ rule MiniDionis_readerView { meta: description = "MiniDionis Malware - file readerView.exe / adobe.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950" date = "2015-07-20" @@ -37,6 +38,7 @@ rule MiniDionis_readerView { rule Malicious_SFX1 { meta: description = "SFX with voicemail content" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950" date = "2015-07-20" @@ -51,6 +53,7 @@ rule Malicious_SFX1 { rule Malicious_SFX2 { meta: description = "SFX with adobe.exe content" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950" date = "2015-07-20" @@ -66,6 +69,7 @@ rule Malicious_SFX2 { rule MiniDionis_VBS_Dropped { meta: description = "Dropped File - 1.vbs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/" date = "2015-07-21" diff --git a/yara/apt_molerats_jul17.yar b/yara/apt_molerats_jul17.yar index ed8262c..9fc9bb0 100644 --- a/yara/apt_molerats_jul17.yar +++ b/yara/apt_molerats_jul17.yar @@ -11,6 +11,7 @@ rule Molerats_Jul17_Sample_1 { meta: description = "Detects Molerats sample - July 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html" date = "2017-07-07" @@ -25,6 +26,7 @@ rule Molerats_Jul17_Sample_1 { rule Molerats_Jul17_Sample_2 { meta: description = "Detects Molerats sample - July 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html" date = "2017-07-07" @@ -40,6 +42,7 @@ rule Molerats_Jul17_Sample_2 { rule Molerats_Jul17_Sample_3 { meta: description = "Detects Molerats sample - July 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html" date = "2017-07-07" @@ -55,6 +58,7 @@ rule Molerats_Jul17_Sample_3 { rule Molerats_Jul17_Sample_4 { meta: description = "Detects Molerats sample - July 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html" date = "2017-07-07" @@ -70,6 +74,7 @@ rule Molerats_Jul17_Sample_4 { rule Molerats_Jul17_Sample_5 { meta: description = "Detects Molerats sample - July 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html" date = "2017-07-07" @@ -87,6 +92,7 @@ rule Molerats_Jul17_Sample_5 { rule Molerats_Jul17_Sample_Dropper { meta: description = "Detects Molerats sample dropper SFX - July 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html" date = "2017-07-07" diff --git a/yara/apt_monsoon.yar b/yara/apt_monsoon.yar index 244cb30..7ae2690 100644 --- a/yara/apt_monsoon.yar +++ b/yara/apt_monsoon.yar @@ -14,6 +14,7 @@ import "pe" rule Monsoon_APT_Malware_1 { meta: description = "Detects malware from Monsoon APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2" date = "2017-09-08" @@ -35,6 +36,7 @@ rule Monsoon_APT_Malware_1 { rule Monsoon_APT_Malware_2 { meta: description = "Detects malware from Monsoon APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2" date = "2017-09-08" diff --git a/yara/apt_muddywater.yar b/yara/apt_muddywater.yar index 309a184..b5ca5c4 100644 --- a/yara/apt_muddywater.yar +++ b/yara/apt_muddywater.yar @@ -10,6 +10,7 @@ rule MuddyWater_Mal_Doc_Feb18_1 { meta: description = "Detects malicious document used by MuddyWater" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - TI2T" date = "2018-02-26" @@ -26,6 +27,7 @@ rule MuddyWater_Mal_Doc_Feb18_1 { rule MuddyWater_Mal_Doc_Feb18_2 { meta: description = "Detects malicious document used by MuddyWater" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - TI2T" date = "2018-02-26" @@ -44,6 +46,7 @@ rule MuddyWater_Mal_Doc_Feb18_2 { rule MAL_MuddyWater_DroppedTask_Jun18_1 { meta: description = "Detects a dropped Windows task as used by MudyWater in June 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://app.any.run/tasks/719c94eb-0a00-47cc-b583-ad4f9e25ebdb" date = "2018-06-12" diff --git a/yara/apt_naikon.yar b/yara/apt_naikon.yar index 1701009..76c543f 100644 --- a/yara/apt_naikon.yar +++ b/yara/apt_naikon.yar @@ -2,6 +2,7 @@ rule Backdoor_Naikon_APT_Sample1 { meta: description = "Detects backdoors related to the Naikon APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/7vHyvh" date = "2015-05-14" diff --git a/yara/apt_nanocore_rat.yar b/yara/apt_nanocore_rat.yar index f93fc6b..7fa5820 100644 --- a/yara/apt_nanocore_rat.yar +++ b/yara/apt_nanocore_rat.yar @@ -8,6 +8,7 @@ rule Nanocore_RAT_Gen_1 { meta: description = "Detetcs the Nanocore RAT and similar malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/" date = "2016-04-22" @@ -26,6 +27,7 @@ rule Nanocore_RAT_Gen_1 { rule Nanocore_RAT_Gen_2 { meta: description = "Detetcs the Nanocore RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 100 reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/" @@ -42,6 +44,7 @@ rule Nanocore_RAT_Gen_2 { rule Nanocore_RAT_Sample_1 { meta: description = "Detetcs a certain Nanocore RAT sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 75 reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/" @@ -58,6 +61,7 @@ rule Nanocore_RAT_Sample_1 { rule Nanocore_RAT_Sample_2 { meta: description = "Detetcs a certain Nanocore RAT sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 75 reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/" @@ -84,6 +88,7 @@ rule Nanocore_RAT_Sample_2 { rule Nanocore_RAT_Feb18_1 { meta: description = "Detects Nanocore RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - T2T" date = "2018-02-19" @@ -107,6 +112,7 @@ rule Nanocore_RAT_Feb18_1 { rule Nanocore_RAT_Feb18_2 { meta: description = "Detects Nanocore RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - T2T" date = "2018-02-19" diff --git a/yara/apt_netwire_rat.yar b/yara/apt_netwire_rat.yar index 85d1af2..adfd72c 100644 --- a/yara/apt_netwire_rat.yar +++ b/yara/apt_netwire_rat.yar @@ -11,6 +11,7 @@ rule Susp_Indicators_EXE { meta: description = "Detects packed NullSoft Inst EXE with characteristics of NetWire RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://pastebin.com/8qaiyPxs" date = "2018-01-05" @@ -30,6 +31,7 @@ rule Susp_Indicators_EXE { rule Suspicious_BAT_Strings { meta: description = "Detects a string also used in Netwire RAT auxilliary" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 60 reference = "https://pastebin.com/8qaiyPxs" @@ -43,6 +45,7 @@ rule Suspicious_BAT_Strings { rule Malicious_BAT_Strings { meta: description = "Detects a string also used in Netwire RAT auxilliary" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 60 reference = "https://pastebin.com/8qaiyPxs" diff --git a/yara/apt_oilrig.yar b/yara/apt_oilrig.yar index 79eba20..0e054a9 100644 --- a/yara/apt_oilrig.yar +++ b/yara/apt_oilrig.yar @@ -12,6 +12,7 @@ import "pe" rule OilRig_Malware_Campaign_Gen1 { meta: description = "Detects malware from OilRig Campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" @@ -67,6 +68,7 @@ rule OilRig_Malware_Campaign_Gen1 { rule OilRig_Malware_Campaign_Mal1 { meta: description = "Detects malware from OilRig Campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" @@ -84,6 +86,7 @@ rule OilRig_Malware_Campaign_Mal1 { rule OilRig_Malware_Campaign_Gen2 { meta: description = "Detects malware from OilRig Campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" @@ -106,6 +109,7 @@ rule OilRig_Malware_Campaign_Gen2 { rule OilRig_Malware_Campaign_Gen3 { meta: description = "Detects malware from OilRig Campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" @@ -123,6 +127,7 @@ rule OilRig_Malware_Campaign_Gen3 { rule OilRig_Malware_Campaign_Mal2 { meta: description = "Detects malware from OilRig Campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" @@ -141,6 +146,7 @@ rule OilRig_Malware_Campaign_Mal2 { rule OilRig_Campaign_Reconnaissance { meta: description = "Detects Windows discovery commands - known from OilRig Campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" @@ -156,6 +162,7 @@ rule OilRig_Campaign_Reconnaissance { rule OilRig_Malware_Campaign_Mal3 { meta: description = "Detects malware from OilRig Campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" @@ -171,6 +178,7 @@ rule OilRig_Malware_Campaign_Mal3 { rule OilRig_Malware_Nov17_13 { meta: description = "" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/ClearskySec/status/933280188733018113" date = "2017-11-22" diff --git a/yara/apt_oilrig_oct17.yar b/yara/apt_oilrig_oct17.yar index 0dfaa82..0cc51f7 100644 --- a/yara/apt_oilrig_oct17.yar +++ b/yara/apt_oilrig_oct17.yar @@ -11,6 +11,7 @@ rule OilRig_Strings_Oct17 { meta: description = "Detects strings from OilRig malware and malicious scripts" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/" date = "2017-10-18" @@ -39,6 +40,7 @@ import "pe" rule OilRig_ISMAgent_Campaign_Samples1 { meta: description = "Detects OilRig malware from Unit 42 report in October 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/JQVfFP" date = "2017-10-18" @@ -58,6 +60,7 @@ rule OilRig_ISMAgent_Campaign_Samples1 { rule OilRig_ISMAgent_Campaign_Samples2 { meta: description = "Detects OilRig malware from Unit 42 report in October 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/JQVfFP" date = "2017-10-18" @@ -77,6 +80,7 @@ rule OilRig_ISMAgent_Campaign_Samples2 { rule OilRig_ISMAgent_Campaign_Samples3 { meta: description = "Detects OilRig malware from Unit 42 report in October 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/JQVfFP" date = "2017-10-18" diff --git a/yara/apt_oilrig_rgdoor.yar b/yara/apt_oilrig_rgdoor.yar index fb1b7d2..2f60967 100644 --- a/yara/apt_oilrig_rgdoor.yar +++ b/yara/apt_oilrig_rgdoor.yar @@ -13,6 +13,7 @@ import "pe" rule OilRig_RGDoor_Gen1 { meta: description = "Detects RGDoor backdoor used by OilRig group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" date = "2018-01-27" diff --git a/yara/apt_olympic_destroyer.yar b/yara/apt_olympic_destroyer.yar index cc4f6b0..f9241a8 100644 --- a/yara/apt_olympic_destroyer.yar +++ b/yara/apt_olympic_destroyer.yar @@ -13,6 +13,7 @@ import "pe" rule Destructive_Ransomware_Gen1 { meta: description = "Detects destructive malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html" date = "2018-02-12" @@ -28,6 +29,7 @@ rule Destructive_Ransomware_Gen1 { rule OlympicDestroyer_Gen2 { meta: description = "Detects Olympic Destroyer malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html" date = "2018-02-12" diff --git a/yara/apt_onhat_proxy.yar b/yara/apt_onhat_proxy.yar index 6d21a9f..9b1d83a 100644 --- a/yara/apt_onhat_proxy.yar +++ b/yara/apt_onhat_proxy.yar @@ -8,6 +8,7 @@ rule ONHAT_Proxy_Hacktool { meta: description = "Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/p32Ozf" date = "2016-05-12" diff --git a/yara/apt_op_cleaver.yar b/yara/apt_op_cleaver.yar index 191d09b..bddd9e9 100644 --- a/yara/apt_op_cleaver.yar +++ b/yara/apt_op_cleaver.yar @@ -302,6 +302,7 @@ rule OPCLEAVER_Parviz_Developer description = "Parviz developer known from Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 strings: @@ -316,6 +317,7 @@ rule OPCLEAVER_CCProxy_Config description = "CCProxy config known from Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 strings: diff --git a/yara/apt_op_cloudhopper.yar b/yara/apt_op_cloudhopper.yar index d638406..1987917 100644 --- a/yara/apt_op_cloudhopper.yar +++ b/yara/apt_op_cloudhopper.yar @@ -10,6 +10,7 @@ rule OpCloudHopper_Malware_1 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -26,6 +27,7 @@ rule OpCloudHopper_Malware_1 { rule OpCloudHopper_Malware_2 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -54,6 +56,7 @@ rule OpCloudHopper_Malware_2 { rule OpCloudHopper_Malware_3 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -74,6 +77,7 @@ rule OpCloudHopper_Malware_3 { rule OpCloudHopper_Dropper_1 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -87,6 +91,7 @@ rule OpCloudHopper_Dropper_1 { rule OpCloudHopper_Malware_4 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -102,6 +107,7 @@ rule OpCloudHopper_Malware_4 { rule OpCloudHopper_Malware_5 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -122,6 +128,7 @@ rule OpCloudHopper_Malware_5 { rule OpCloudHopper_Malware_6 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -138,6 +145,7 @@ rule OpCloudHopper_Malware_6 { rule OpCloudHopper_Malware_7 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -152,6 +160,7 @@ rule OpCloudHopper_Malware_7 { rule OpCloudHopper_Malware_8 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -171,6 +180,7 @@ rule OpCloudHopper_Malware_8 { rule OpCloudHopper_Malware_9 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -185,6 +195,7 @@ rule OpCloudHopper_Malware_9 { rule OpCloudHopper_Malware_10 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -200,6 +211,7 @@ rule OpCloudHopper_Malware_10 { rule OpCloudHopper_Malware_11 { meta: description = "Detects malware from Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html" date = "2017-04-03" @@ -225,6 +237,7 @@ rule OpCloudHopper_Malware_11 { rule OpCloudHopper_lockdown { meta: description = "Tools related to Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -239,6 +252,7 @@ rule OpCloudHopper_lockdown { rule OpCloudHopper_WindowXarBot { meta: description = "Malware related to Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" date = "2017-04-07" @@ -251,6 +265,7 @@ rule OpCloudHopper_WindowXarBot { rule OpCloudHopper_WmiDLL_inMemory { meta: description = "Malware related to Operation Cloud Hopper - Page 25" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" date = "2017-04-07" @@ -263,6 +278,7 @@ rule OpCloudHopper_WmiDLL_inMemory { rule VBS_WMIExec_Tool_Apr17_1 { meta: description = "Tools related to Operation Cloud Hopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" diff --git a/yara/apt_op_honeybee.yar b/yara/apt_op_honeybee.yar index b4435d5..90dabde 100644 --- a/yara/apt_op_honeybee.yar +++ b/yara/apt_op_honeybee.yar @@ -13,6 +13,7 @@ import "pe" rule HoneyBee_Dropper_MalDoc { meta: description = "Detects samples from Operation Honeybee" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/JAHZVL" date = "2018-03-03" @@ -35,6 +36,7 @@ rule HoneyBee_Dropper_MalDoc { rule OpHoneybee_Malware_1 { meta: description = "Detects malware from Operation Honeybee" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/JAHZVL" date = "2018-03-03" @@ -69,6 +71,7 @@ rule OpHoneybee_Malware_1 { rule OpHoneybee_MaoCheng_Dropper { meta: description = "Detects MaoCheng dropper from Operation Honeybee" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/JAHZVL" date = "2018-03-03" diff --git a/yara/apt_passcv.yar b/yara/apt_passcv.yar index 3a05d1f..7f2f62d 100644 --- a/yara/apt_passcv.yar +++ b/yara/apt_passcv.yar @@ -10,6 +10,7 @@ rule PassCV_Sabre_Malware_1 { meta: description = "PassCV Malware mentioned in Cylance Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" @@ -34,6 +35,7 @@ rule PassCV_Sabre_Malware_1 { rule PassCV_Sabre_Malware_Signing_Cert { meta: description = "PassCV Malware mentioned in Cylance Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" @@ -55,6 +57,7 @@ rule PassCV_Sabre_Malware_Signing_Cert { rule PassCV_Sabre_Malware_2 { meta: description = "PassCV Malware mentioned in Cylance Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" @@ -78,6 +81,7 @@ rule PassCV_Sabre_Malware_2 { rule PassCV_Sabre_Malware_Excalibur_1 { meta: description = "PassCV Malware mentioned in Cylance Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" @@ -99,6 +103,7 @@ rule PassCV_Sabre_Malware_Excalibur_1 { rule PassCV_Sabre_Malware_3 { meta: description = "PassCV Malware mentioned in Cylance Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" @@ -116,6 +121,7 @@ rule PassCV_Sabre_Malware_3 { rule PassCV_Sabre_Malware_4 { meta: description = "PassCV Malware mentioned in Cylance Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" @@ -131,6 +137,7 @@ rule PassCV_Sabre_Malware_4 { rule PassCV_Sabre_Tool_NTScan { meta: description = "PassCV Malware mentioned in Cylance Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" @@ -147,6 +154,7 @@ rule PassCV_Sabre_Tool_NTScan { rule PassCV_Sabre_Malware_5 { meta: description = "PassCV Malware mentioned in Cylance Report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" diff --git a/yara/apt_passthehashtoolkit.yar b/yara/apt_passthehashtoolkit.yar index e161811..e1e8d2d 100644 --- a/yara/apt_passthehashtoolkit.yar +++ b/yara/apt_passthehashtoolkit.yar @@ -10,6 +10,7 @@ rule whosthere_alt { meta: description = "Auto-generated rule - file whosthere-alt.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" @@ -31,6 +32,7 @@ rule whosthere_alt { rule iam_alt_iam_alt { meta: description = "Auto-generated rule - file iam-alt.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" @@ -52,6 +54,7 @@ rule iam_alt_iam_alt { rule genhash_genhash { meta: description = "Auto-generated rule - file genhash.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" @@ -70,6 +73,7 @@ rule genhash_genhash { rule iam_iamdll { meta: description = "Auto-generated rule - file iamdll.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" @@ -86,6 +90,7 @@ rule iam_iamdll { rule iam_iam { meta: description = "Auto-generated rule - file iam.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" @@ -106,6 +111,7 @@ rule iam_iam { rule whosthere_alt_pth { meta: description = "Auto-generated rule - file pth.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" @@ -124,6 +130,7 @@ rule whosthere_alt_pth { rule whosthere { meta: description = "Auto-generated rule - file whosthere.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" diff --git a/yara/apt_plead_downloader.yar b/yara/apt_plead_downloader.yar index 5d917ad..e052263 100644 --- a/yara/apt_plead_downloader.yar +++ b/yara/apt_plead_downloader.yar @@ -1,6 +1,7 @@ rule PLEAD_Downloader_Jun18_1 { meta: description = "Detects PLEAD Downloader" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html" date = "2018-06-16" diff --git a/yara/apt_poisonivy.yar b/yara/apt_poisonivy.yar index 9ddab9f..006803f 100644 --- a/yara/apt_poisonivy.yar +++ b/yara/apt_poisonivy.yar @@ -2,6 +2,7 @@ rule PoisonIvy_Sample_APT { meta: description = "Detects a PoisonIvy APT malware group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -22,6 +23,7 @@ rule PoisonIvy_Sample_APT { rule PoisonIvy_Sample_APT_2 { meta: description = "Detects a PoisonIvy Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -56,6 +58,7 @@ rule PoisonIvy_Sample_APT_2 { rule PoisonIvy_Sample_APT_3 { meta: description = "Detects a PoisonIvy Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -73,6 +76,7 @@ rule PoisonIvy_Sample_APT_3 { rule PoisonIvy_Sample_APT_4 { meta: description = "Detects a PoisonIvy Sample APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -95,6 +99,7 @@ rule PoisonIvy_Sample_APT_4 { rule PoisonIvy_Sample_5 { meta: description = "Detects PoisonIvy RAT sample set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -116,6 +121,7 @@ condition: rule PoisonIvy_Sample_6 { meta: description = "Detects PoisonIvy RAT sample set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -154,6 +160,7 @@ rule PoisonIvy_Sample_6 { rule PoisonIvy_Sample_7 { meta: description = "Detects PoisonIvy RAT sample set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" diff --git a/yara/apt_poisonivy_gen3.yar b/yara/apt_poisonivy_gen3.yar index 0a5c74b..80dba4d 100644 --- a/yara/apt_poisonivy_gen3.yar +++ b/yara/apt_poisonivy_gen3.yar @@ -2,6 +2,7 @@ rule PoisonIvy_Generic_3 { meta: description = "PoisonIvy RAT Generic Rule" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-05-14" hash = "e1cbdf740785f97c93a0a7a01ef2614be792afcd" diff --git a/yara/apt_poseidon_group.yar b/yara/apt_poseidon_group.yar index 8d83232..3a2cd2d 100644 --- a/yara/apt_poseidon_group.yar +++ b/yara/apt_poseidon_group.yar @@ -8,6 +8,7 @@ rule PoseidonGroup_Malware { meta: description = "Detects Poseidon Group Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/" date = "2016-02-09" @@ -47,6 +48,7 @@ rule PoseidonGroup_Malware { rule PoseidonGroup_MalDoc_1 { meta: description = "Detects Poseidon Group - Malicious Word Document" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/" date = "2016-02-09" @@ -61,6 +63,7 @@ rule PoseidonGroup_MalDoc_1 { rule PoseidonGroup_MalDoc_2 { meta: description = "Detects Poseidon Group - Malicious Word Document" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/" date = "2016-02-09" diff --git a/yara/apt_poshspy.yar b/yara/apt_poshspy.yar index ba5c9ae..d0ede9f 100644 --- a/yara/apt_poshspy.yar +++ b/yara/apt_poshspy.yar @@ -11,6 +11,7 @@ rule POSHSPY_Malware { meta: description = "Detects" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" date = "2017-07-15" diff --git a/yara/apt_project_m.yar b/yara/apt_project_m.yar index 26c302e..cfa7d4b 100644 --- a/yara/apt_project_m.yar +++ b/yara/apt_project_m.yar @@ -10,6 +10,7 @@ rule ProjectM_DarkComet_1 { meta: description = "Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/" date = "2016-03-26" @@ -29,6 +30,7 @@ rule ProjectM_DarkComet_1 { rule ProjectM_CrimsonDownloader { meta: description = "Detects ProjectM Malware - file dc8bd60695070152c94cbeb5f61eca6e4309b8966f1aa9fdc2dd0ab754ad3e4c" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/" date = "2016-03-26" diff --git a/yara/apt_project_sauron_extras.yar b/yara/apt_project_sauron_extras.yar index ab121e8..fc7fca0 100644 --- a/yara/apt_project_sauron_extras.yar +++ b/yara/apt_project_sauron_extras.yar @@ -1,6 +1,7 @@ rule APT_Project_Sauron_Scripts { meta: description = "Detects scripts (mostly LUA) from Project Sauron report by Kaspersky" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" @@ -26,6 +27,7 @@ rule APT_Project_Sauron_Scripts { rule APT_Project_Sauron_arping_module { meta: description = "Detects strings from arping module - Project Sauron report by Kaspersky" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" @@ -40,6 +42,7 @@ rule APT_Project_Sauron_arping_module { rule APT_Project_Sauron_kblogi_module { meta: description = "Detects strings from kblogi module - Project Sauron report by Kaspersky" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" @@ -54,6 +57,7 @@ rule APT_Project_Sauron_kblogi_module { rule APT_Project_Sauron_basex_module { meta: description = "Detects strings from basex module - Project Sauron report by Kaspersky" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" @@ -68,6 +72,7 @@ rule APT_Project_Sauron_basex_module { rule APT_Project_Sauron_dext_module { meta: description = "Detects strings from dext module - Project Sauron report by Kaspersky" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" @@ -83,6 +88,7 @@ rule APT_Project_Sauron_dext_module { rule Hacktool_This_Cruft { meta: description = "Detects string 'This cruft' often used in hack tools like netcat or cryptcat and also mentioned in Project Sauron report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" @@ -105,7 +111,8 @@ rule Hacktool_This_Cruft { rule APT_Project_Sauron_Custom_M1 { meta: description = "Detects malware from Project Sauron APT" - author = "FLorian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9" @@ -123,7 +130,8 @@ rule APT_Project_Sauron_Custom_M1 { rule APT_Project_Sauron_Custom_M2 { meta: description = "Detects malware from Project Sauron APT" - author = "FLorian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8" @@ -140,7 +148,8 @@ rule APT_Project_Sauron_Custom_M2 { rule APT_Project_Sauron_Custom_M3 { meta: description = "Detects malware from Project Sauron APT" - author = "FLorian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec" @@ -157,7 +166,8 @@ rule APT_Project_Sauron_Custom_M3 { rule APT_Project_Sauron_Custom_M4 { meta: description = "Detects malware from Project Sauron APT" - author = "FLorian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57" @@ -175,7 +185,8 @@ rule APT_Project_Sauron_Custom_M4 { rule APT_Project_Sauron_Custom_M6 { meta: description = "Detects malware from Project Sauron APT" - author = "FLorian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8" @@ -193,7 +204,8 @@ rule APT_Project_Sauron_Custom_M6 { rule APT_Project_Sauron_Custom_M7 { meta: description = "Detects malware from Project Sauron APT" - author = "FLorian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd" diff --git a/yara/apt_promethium_neodymium.yar b/yara/apt_promethium_neodymium.yar index c818f6c..09eb623 100644 --- a/yara/apt_promethium_neodymium.yar +++ b/yara/apt_promethium_neodymium.yar @@ -10,6 +10,7 @@ rule PROMETHIUM_NEODYMIUM_Malware_1 { meta: description = "Detects PROMETHIUM and NEODYMIUM malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/8abDE6" date = "2016-12-14" @@ -27,6 +28,7 @@ rule PROMETHIUM_NEODYMIUM_Malware_1 { rule PROMETHIUM_NEODYMIUM_Malware_2 { meta: description = "Detects PROMETHIUM and NEODYMIUM malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/8abDE6" date = "2016-12-14" @@ -43,6 +45,7 @@ rule PROMETHIUM_NEODYMIUM_Malware_2 { rule PROMETHIUM_NEODYMIUM_Malware_3 { meta: description = "Detects PROMETHIUM and NEODYMIUM malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/8abDE6" date = "2016-12-14" @@ -59,6 +62,7 @@ rule PROMETHIUM_NEODYMIUM_Malware_3 { rule PROMETHIUM_NEODYMIUM_Malware_4 { meta: description = "Detects PROMETHIUM and NEODYMIUM malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/8abDE6" date = "2016-12-14" @@ -79,6 +83,7 @@ rule PROMETHIUM_NEODYMIUM_Malware_4 { rule PROMETHIUM_NEODYMIUM_Malware_5 { meta: description = "Detects PROMETHIUM and NEODYMIUM malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/8abDE6" date = "2016-12-14" @@ -97,6 +102,7 @@ rule PROMETHIUM_NEODYMIUM_Malware_5 { rule PROMETHIUM_NEODYMIUM_Malware_6 { meta: description = "Detects PROMETHIUM and NEODYMIUM malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/8abDE6" date = "2016-12-14" diff --git a/yara/apt_putterpanda.yar b/yara/apt_putterpanda.yar index a2944a5..8f2da51 100644 --- a/yara/apt_putterpanda.yar +++ b/yara/apt_putterpanda.yar @@ -1,6 +1,7 @@ rule APT_Malware_PutterPanda_Rel { meta: description = "Detects an APT malware related to PutterPanda" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -28,6 +29,7 @@ rule APT_Malware_PutterPanda_Rel { rule APT_Malware_PutterPanda_Rel_2 { meta: description = "APT Malware related to PutterPanda Group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -57,6 +59,7 @@ rule APT_Malware_PutterPanda_Rel_2 { rule APT_Malware_PutterPanda_PSAPI { meta: description = "Detects a malware related to Putter Panda" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -75,6 +78,7 @@ rule APT_Malware_PutterPanda_PSAPI { rule APT_Malware_PutterPanda_WUAUCLT { meta: description = "Detects a malware related to Putter Panda" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -124,6 +128,7 @@ rule APT_Malware_PutterPanda_Gen1 { rule Malware_MsUpdater_String_in_EXE { meta: description = "MSUpdater String in Executable" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 50 reference = "VT Analysis" @@ -147,6 +152,7 @@ rule Malware_MsUpdater_String_in_EXE { rule APT_Malware_PutterPanda_MsUpdater_3 { meta: description = "Detects Malware related to PutterPanda - MSUpdater" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -164,6 +170,7 @@ rule APT_Malware_PutterPanda_MsUpdater_3 { rule APT_Malware_PutterPanda_MsUpdater_1 { meta: description = "Detects Malware related to PutterPanda - MSUpdater" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -187,6 +194,7 @@ rule APT_Malware_PutterPanda_MsUpdater_1 { rule APT_Malware_PutterPanda_MsUpdater_2 { meta: description = "Detects Malware related to PutterPanda - MSUpdater" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" @@ -221,6 +229,7 @@ rule APT_Malware_PutterPanda_MsUpdater_2 { rule APT_Malware_PutterPanda_Gen4 { meta: description = "Detects Malware related to PutterPanda" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" diff --git a/yara/apt_quarkspwdump.yar b/yara/apt_quarkspwdump.yar index 083a3fe..a85cb04 100644 --- a/yara/apt_quarkspwdump.yar +++ b/yara/apt_quarkspwdump.yar @@ -2,6 +2,7 @@ rule QuarksPwDump_Gen { meta: description = "Detects all QuarksPWDump versions" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-09-29" score = 80 diff --git a/yara/apt_quasar_rat.yar b/yara/apt_quasar_rat.yar index d5a1fb7..7f1c2c7 100644 --- a/yara/apt_quasar_rat.yar +++ b/yara/apt_quasar_rat.yar @@ -10,6 +10,7 @@ rule Quasar_RAT_1 { meta: description = "Detects Quasar RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" date = "2017-04-07" @@ -33,6 +34,7 @@ rule Quasar_RAT_1 { rule Quasar_RAT_2 { meta: description = "Detects Quasar RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" date = "2017-04-07" diff --git a/yara/apt_quasar_vermin.yar b/yara/apt_quasar_vermin.yar index e44ba2d..6bc55bb 100644 --- a/yara/apt_quasar_vermin.yar +++ b/yara/apt_quasar_vermin.yar @@ -11,6 +11,7 @@ rule Quasar_RAT_Jan18_1 { meta: description = "Detects Quasar RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" date = "2018-01-29" @@ -33,6 +34,7 @@ rule Quasar_RAT_Jan18_1 { rule Vermin_Keylogger_Jan18_1 { meta: description = "Detects Vermin Keylogger" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" date = "2018-01-29" diff --git a/yara/apt_rancor.yar b/yara/apt_rancor.yar index 439c713..76b5f2c 100644 --- a/yara/apt_rancor.yar +++ b/yara/apt_rancor.yar @@ -13,6 +13,7 @@ import "pe" rule APT_RANCOR_JS_Malware { meta: description = "dropzone - file 1dc5966572e94afc2fbcf8e93e3382eef4e4d7b5bc02f24069c403a28fa6a458" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" date = "2018-06-26" @@ -28,6 +29,7 @@ rule APT_RANCOR_JS_Malware { rule APT_RANCOR_PLAINTEE_Variant { meta: description = "Detects PLAINTEE malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" date = "2018-06-26" @@ -47,6 +49,7 @@ rule APT_RANCOR_PLAINTEE_Variant { rule APT_RANCOR_PLAINTEE_Malware_Exports { meta: description = "Detects PLAINTEE malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" date = "2018-06-26" @@ -58,6 +61,7 @@ rule APT_RANCOR_PLAINTEE_Malware_Exports { rule APT_RANCOR_DDKONG_Malware_Exports { meta: description = "Detects DDKONG malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" date = "2018-06-26" diff --git a/yara/apt_reaver_sunorcal.yar b/yara/apt_reaver_sunorcal.yar index 6061600..47c16ee 100644 --- a/yara/apt_reaver_sunorcal.yar +++ b/yara/apt_reaver_sunorcal.yar @@ -14,6 +14,7 @@ import "pe" rule Reaver3_Malware_Nov17_1 { meta: description = "Detects Reaver malware mentioned in PaloAltoNetworks report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" date = "2017-11-11" @@ -27,6 +28,7 @@ rule Reaver3_Malware_Nov17_1 { rule Reaver3_Malware_Nov17_2 { meta: description = "Detects Reaver malware mentioned in PaloAltoNetworks report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" date = "2017-11-11" @@ -51,6 +53,7 @@ rule Reaver3_Malware_Nov17_2 { rule Reaver3_Malware_Nov17_3 { meta: description = "Detects Reaver malware mentioned in PaloAltoNetworks report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" date = "2017-11-11" @@ -75,6 +78,7 @@ rule Reaver3_Malware_Nov17_3 { rule SunOrcal_Malware_Nov17_1 { meta: description = "Detects Reaver malware mentioned in PaloAltoNetworks report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" date = "2017-11-11" diff --git a/yara/apt_rehashed_rat.yar b/yara/apt_rehashed_rat.yar index f6f80d1..000189a 100644 --- a/yara/apt_rehashed_rat.yar +++ b/yara/apt_rehashed_rat.yar @@ -13,6 +13,7 @@ import "pe" rule Rehashed_RAT_1 { meta: description = "Detects malware from Rehashed RAT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" date = "2017-09-08" @@ -39,6 +40,7 @@ rule Rehashed_RAT_1 { rule Rehashed_RAT_2 { meta: description = "Detects malware from Rehashed RAT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" date = "2017-09-08" @@ -65,6 +67,7 @@ rule Rehashed_RAT_2 { rule Rehashed_RAT_3 { meta: description = "Detects malware from Rehashed RAT incident" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" date = "2017-09-08" diff --git a/yara/apt_revenge_rat.yar b/yara/apt_revenge_rat.yar index c317ab3..ed166e7 100644 --- a/yara/apt_revenge_rat.yar +++ b/yara/apt_revenge_rat.yar @@ -11,6 +11,7 @@ rule RevengeRAT_Sep17 { meta: description = "Detects RevengeRAT malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-09-04" diff --git a/yara/apt_rocketkitten_keylogger.yar b/yara/apt_rocketkitten_keylogger.yar index bf39a8c..155c353 100644 --- a/yara/apt_rocketkitten_keylogger.yar +++ b/yara/apt_rocketkitten_keylogger.yar @@ -8,6 +8,7 @@ rule RocketKitten_Keylogger { meta: description = "Detects Keylogger used in Rocket Kitten APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/SjQhlp" date = "2015-09-01" diff --git a/yara/apt_rokrat.yar b/yara/apt_rokrat.yar index d2b7973..1322209 100644 --- a/yara/apt_rokrat.yar +++ b/yara/apt_rokrat.yar @@ -8,6 +8,7 @@ rule ROKRAT_Malware { meta: description = "Detects ROKRAT Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html" date = "2017-04-03" @@ -45,6 +46,7 @@ import "pe" rule ROKRAT_Dropper_Nov17 { meta: description = "Detects dropper for ROKRAT malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html" date = "2017-11-28" @@ -58,6 +60,7 @@ rule ROKRAT_Dropper_Nov17 { rule Freeenki_Infostealer_Nov17 { meta: description = "Detects Freenki infostealer malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html" date = "2017-11-28" @@ -87,6 +90,7 @@ rule Freeenki_Infostealer_Nov17 { rule Freeenki_Infostealer_Nov17_Export_Sig_Testing { meta: description = "Detects Freenki infostealer malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html" date = "2017-11-28" @@ -101,6 +105,7 @@ rule Freeenki_Infostealer_Nov17_Export_Sig_Testing { rule ROKRAT_Nov17_1 { meta: description = "Detects ROKRAT malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-11-28" diff --git a/yara/apt_rwmc_powershell_creddump.yar b/yara/apt_rwmc_powershell_creddump.yar index 30b1cf6..d71837c 100644 --- a/yara/apt_rwmc_powershell_creddump.yar +++ b/yara/apt_rwmc_powershell_creddump.yar @@ -8,6 +8,7 @@ rule Reveal_MemoryCredentials { meta: description = "Auto-generated rule - file Reveal-MemoryCredentials.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/giMini/RWMC/" date = "2015-08-31" @@ -24,6 +25,7 @@ rule Reveal_MemoryCredentials { rule MiniDumpTest_msdsc { meta: description = "Auto-generated rule - file msdsc.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/giMini/RWMC/" date = "2015-08-31" diff --git a/yara/apt_saudi_aramco_phish.yar b/yara/apt_saudi_aramco_phish.yar index 6012b16..3567bca 100644 --- a/yara/apt_saudi_aramco_phish.yar +++ b/yara/apt_saudi_aramco_phish.yar @@ -10,6 +10,7 @@ rule Saudi_Phish_Trojan { meta: description = "Detects a trojan used in Saudi Aramco Phishing" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/Z3JUAA" date = "2017-10-12" diff --git a/yara/apt_scanbox_deeppanda.yar b/yara/apt_scanbox_deeppanda.yar index 191b39c..008e976 100644 --- a/yara/apt_scanbox_deeppanda.yar +++ b/yara/apt_scanbox_deeppanda.yar @@ -2,6 +2,7 @@ rule ScanBox_Malware_Generic { meta: description = "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference1 = "http://goo.gl/MUUfjv" reference2 = "http://goo.gl/WXUQcP" diff --git a/yara/apt_seaduke_unit42.yar b/yara/apt_seaduke_unit42.yar index 88e5971..434e393 100644 --- a/yara/apt_seaduke_unit42.yar +++ b/yara/apt_seaduke_unit42.yar @@ -10,6 +10,7 @@ rule SeaDuke_Sample { meta: description = "SeaDuke Malware - file 3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/MJ0c2M" date = "2015-07-14" diff --git a/yara/apt_sednit_delphidownloader.yar b/yara/apt_sednit_delphidownloader.yar index e10a7f3..a679419 100644 --- a/yara/apt_sednit_delphidownloader.yar +++ b/yara/apt_sednit_delphidownloader.yar @@ -11,6 +11,7 @@ rule MAL_Sednit_DelphiDownloader_Apr18_2 { meta: description = "Detects malware from Sednit Delphi Downloader report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" date = "2018-04-24" @@ -37,6 +38,7 @@ rule MAL_Sednit_DelphiDownloader_Apr18_2 { rule MAL_Sednit_DelphiDownloader_Apr18_3 { meta: description = "Detects malware from Sednit Delphi Downloader report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" date = "2018-04-24" diff --git a/yara/apt_shadowpad.yar b/yara/apt_shadowpad.yar index 429de2b..f8930c2 100644 --- a/yara/apt_shadowpad.yar +++ b/yara/apt_shadowpad.yar @@ -13,6 +13,7 @@ import "pe" rule ShadowPad_nssock2 { meta: description = "Detects malicious nssock2.dll from ShadowPad incident - file nssock2.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/shadowpad-in-corporate-networks/81432/" date = "2017-08-15" diff --git a/yara/apt_shamoon2.yar b/yara/apt_shamoon2.yar index bf9f60b..a5f21fc 100644 --- a/yara/apt_shamoon2.yar +++ b/yara/apt_shamoon2.yar @@ -10,6 +10,7 @@ rule Shamoon2_Wiper { meta: description = "Detects Shamoon 2.0 Wiper Component" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/jKIfGB" date = "2016-12-01" @@ -72,6 +73,7 @@ rule EldoS_RawDisk { rule Shamoon_Disttrack_Dropper { meta: description = "Detects Shamoon 2.0 Disttrack Dropper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/jKIfGB" date = "2016-12-01" diff --git a/yara/apt_shellcrew_streamex.yar b/yara/apt_shellcrew_streamex.yar index 6e693ba..864ea1f 100644 --- a/yara/apt_shellcrew_streamex.yar +++ b/yara/apt_shellcrew_streamex.yar @@ -39,6 +39,7 @@ rule StreamEx_ShellCrew { rule ShellCrew_StreamEx_1 { meta: description = "Auto-generated rule - file 81f411415aefa5ad7f7ed2365d9a18d0faf33738617afc19215b69c23f212c07" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" date = "2017-02-10" @@ -57,6 +58,7 @@ rule ShellCrew_StreamEx_1 { rule ShellCrew_StreamEx_1_msi { meta: description = "Auto-generated rule - file msi.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" date = "2017-02-10" @@ -76,6 +78,7 @@ rule ShellCrew_StreamEx_1_msi { rule ShellCrew_StreamEx_1_msi_dll { meta: description = "Auto-generated rule - file msi.dll.eng" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" date = "2017-02-10" diff --git a/yara/apt_silence.yar b/yara/apt_silence.yar index a11c72f..6b3b162 100644 --- a/yara/apt_silence.yar +++ b/yara/apt_silence.yar @@ -13,6 +13,7 @@ import "pe" rule Silence_malware_1 { meta: description = "Detects malware sample mentioned in the Silence report on Securelist" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/the-silence/83009/" date = "2017-11-01" @@ -38,6 +39,7 @@ rule Silence_malware_1 { rule Silence_malware_2 { meta: description = "Detects malware sample mentioned in the Silence report on Securelist" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/the-silence/83009/" date = "2017-11-01" diff --git a/yara/apt_slingshot.yar b/yara/apt_slingshot.yar index 2674358..64e46b0 100644 --- a/yara/apt_slingshot.yar +++ b/yara/apt_slingshot.yar @@ -11,6 +11,7 @@ import "pe" rule Slingshot_APT_Spork_Downloader { meta: description = "Detects malware from Slingshot APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/apt-slingshot/84312/" date = "2018-03-09" @@ -24,6 +25,7 @@ rule Slingshot_APT_Spork_Downloader { rule Slingshot_APT_Minisling { meta: description = "Detects malware from Slingshot APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/apt-slingshot/84312/" date = "2018-03-09" @@ -36,6 +38,7 @@ rule Slingshot_APT_Minisling { rule Slingshot_APT_Ring0_Loader { meta: description = "Detects malware from Slingshot APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/apt-slingshot/84312/" date = "2018-03-09" @@ -54,6 +57,7 @@ rule Slingshot_APT_Ring0_Loader { rule Slingshot_APT_Malware_1 { meta: description = "Detects malware from Slingshot APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/apt-slingshot/84312/" date = "2018-03-09" @@ -73,6 +77,7 @@ rule Slingshot_APT_Malware_1 { rule Slingshot_APT_Malware_2 { meta: description = "Detects malware from Slingshot APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/apt-slingshot/84312/" date = "2018-03-09" @@ -92,6 +97,7 @@ rule Slingshot_APT_Malware_2 { rule Slingshot_APT_Malware_3 { meta: description = "Detects malware from Slingshot APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/apt-slingshot/84312/" date = "2018-03-09" @@ -112,6 +118,7 @@ rule Slingshot_APT_Malware_3 { rule Slingshot_APT_Malware_4 { meta: description = "Detects malware from Slingshot APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/apt-slingshot/84312/" date = "2018-03-09" diff --git a/yara/apt_snaketurla_osx.yar b/yara/apt_snaketurla_osx.yar index ff31be4..e9ba426 100644 --- a/yara/apt_snaketurla_osx.yar +++ b/yara/apt_snaketurla_osx.yar @@ -11,6 +11,7 @@ rule SnakeTurla_Malware_May17_1 { meta: description = "Detects Snake / Turla Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QaOh4V" date = "2017-05-04" @@ -24,6 +25,7 @@ rule SnakeTurla_Malware_May17_1 { rule SnakeTurla_Malware_May17_2 { meta: description = "Detects Snake / Turla Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QaOh4V" date = "2017-05-04" @@ -39,6 +41,7 @@ rule SnakeTurla_Malware_May17_2 { rule SnakeTurla_Malware_May17_3 { meta: description = "Detects Snake / Turla Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QaOh4V" date = "2017-05-04" @@ -53,6 +56,7 @@ rule SnakeTurla_Malware_May17_3 { rule SnakeTurla_Malware_May17_4 { meta: description = "Detects Snake / Turla Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QaOh4V" date = "2017-05-04" @@ -66,6 +70,7 @@ rule SnakeTurla_Malware_May17_4 { rule SnakeTurla_Installd_SH { meta: description = "Detects Snake / Turla Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QaOh4V" date = "2017-05-04" @@ -79,6 +84,7 @@ rule SnakeTurla_Installd_SH { rule SnakeTurla_Install_SH { meta: description = "Detects Snake / Turla Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/QaOh4V" date = "2017-05-04" diff --git a/yara/apt_snowglobe_babar.yar b/yara/apt_snowglobe_babar.yar index 49f7310..5e7b1d6 100644 --- a/yara/apt_snowglobe_babar.yar +++ b/yara/apt_snowglobe_babar.yar @@ -4,6 +4,7 @@ rule SNOWGLOBE_Babar_Malware { meta: description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france" date = "2015/02/18" diff --git a/yara/apt_sofacy.yar b/yara/apt_sofacy.yar index b7b33b4..67130c5 100644 --- a/yara/apt_sofacy.yar +++ b/yara/apt_sofacy.yar @@ -4,6 +4,7 @@ import "pe" rule Sofacy_Campaign_Mal_Feb18_cdnver { meta: description = "Detects Sofacy malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/ClearskySec/status/960924755355369472" date = "2018-02-07" @@ -27,6 +28,7 @@ rule Sofacy_Campaign_Mal_Feb18_cdnver { rule Sofacy_Trojan_Loader_Feb18_1 { meta: description = "Sofacy Activity Feb 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100" date = "2018-03-01" diff --git a/yara/apt_sofacy_dec15.yar b/yara/apt_sofacy_dec15.yar index e312809..d8f6540 100644 --- a/yara/apt_sofacy_dec15.yar +++ b/yara/apt_sofacy_dec15.yar @@ -8,6 +8,7 @@ rule Sofacy_Malware_StrangeSpaces { meta: description = "Detetcs strange strings from Sofacy malware with many spaces" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/" date = "2015-12-04" @@ -23,6 +24,7 @@ rule Sofacy_Malware_StrangeSpaces { rule Sofacy_Malware_AZZY_Backdoor_1 { meta: description = "AZZY Backdoor - Sample 1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/" date = "2015-12-04" @@ -38,6 +40,7 @@ rule Sofacy_Malware_AZZY_Backdoor_1 { rule Sofacy_AZZY_Backdoor_Implant_1 { meta: description = "AZZY Backdoor Implant 4.3 - Sample 1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/" date = "2015-12-04" @@ -55,6 +58,7 @@ rule Sofacy_AZZY_Backdoor_Implant_1 { rule Sofacy_AZZY_Backdoor_HelperDLL { meta: description = "Dropped C&C helper DLL for AZZY 4.3" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/" date = "2015-12-04" @@ -72,6 +76,7 @@ rule Sofacy_AZZY_Backdoor_HelperDLL { rule Sofacy_CollectorStealer_Gen1 { meta: description = "Generic rule to detect Sofacy Malware Collector Stealer" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/" date = "2015-12-04" @@ -89,6 +94,7 @@ rule Sofacy_CollectorStealer_Gen1 { rule Sofacy_CollectorStealer_Gen2 { meta: description = "File collectors / USB stealers - Generic" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/" date = "2015-12-04" @@ -106,6 +112,7 @@ rule Sofacy_CollectorStealer_Gen2 { rule Sofacy_CollectorStealer_Gen3 { meta: description = "File collectors / USB stealers - Generic" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/" date = "2015-12-04" diff --git a/yara/apt_sofacy_fysbis.yar b/yara/apt_sofacy_fysbis.yar index 2588ff3..7d535e8 100644 --- a/yara/apt_sofacy_fysbis.yar +++ b/yara/apt_sofacy_fysbis.yar @@ -9,6 +9,7 @@ rule Sofacy_Fybis_ELF_Backdoor_Gen1 { meta: description = "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" date = "2016-02-13" @@ -34,6 +35,7 @@ rule Sofacy_Fybis_ELF_Backdoor_Gen1 { rule Sofacy_Fysbis_ELF_Backdoor_Gen2 { meta: description = "Detects Sofacy Fysbis Linux Backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" date = "2016-02-13" diff --git a/yara/apt_sofacy_jun16.yar b/yara/apt_sofacy_jun16.yar index e94c6ac..b0ab5b7 100644 --- a/yara/apt_sofacy_jun16.yar +++ b/yara/apt_sofacy_jun16.yar @@ -10,6 +10,7 @@ rule Sofacy_Jun16_Sample1 { meta: description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/mzAa97" date = "2016-06-14" @@ -25,6 +26,7 @@ rule Sofacy_Jun16_Sample1 { rule Sofacy_Jun16_Sample2 { meta: description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/mzAa97" date = "2016-06-14" @@ -47,6 +49,7 @@ rule Sofacy_Jun16_Sample2 { rule Sofacy_Jun16_Sample3 { meta: description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/mzAa97" date = "2016-06-14" diff --git a/yara/apt_sofacy_oct17_camp.yar b/yara/apt_sofacy_oct17_camp.yar index 364c256..585d3ef 100644 --- a/yara/apt_sofacy_oct17_camp.yar +++ b/yara/apt_sofacy_oct17_camp.yar @@ -13,6 +13,7 @@ import "pe" rule Sofacy_Oct17_1 { meta: description = "Detects Sofacy malware reported in October 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" date = "2017-10-23" @@ -47,6 +48,7 @@ rule Sofacy_Oct17_1 { rule Sofacy_Oct17_2 { meta: description = "Detects Sofacy malware reported in October 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" date = "2017-10-23" diff --git a/yara/apt_sofacy_xtunnel_bundestag.yar b/yara/apt_sofacy_xtunnel_bundestag.yar index 8ed1064..e1bf1c5 100644 --- a/yara/apt_sofacy_xtunnel_bundestag.yar +++ b/yara/apt_sofacy_xtunnel_bundestag.yar @@ -24,7 +24,8 @@ rule apt_sofacy_xtunnel { rule Winexe_RemoteExecution { meta: description = "Winexe tool used by Sofacy group several APT cases" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf" date = "2015-06-19" hash = "5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d" @@ -39,7 +40,8 @@ rule Winexe_RemoteExecution { rule Sofacy_Mal2 { meta: description = "Sofacy Group Malware Sample 2" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf" date = "2015-06-19" hash = "566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092" @@ -56,7 +58,8 @@ rule Sofacy_Mal2 { rule Sofacy_Mal3 { meta: description = "Sofacy Group Malware Sample 3" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf" date = "2015-06-19" hash = "5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1" @@ -85,7 +88,8 @@ rule Sofacy_Mal3 { rule Sofacy_Bundestag_Batch { meta: description = "Sofacy Bundestags APT Batch Script" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf" date = "2015-06-19" score = 70 diff --git a/yara/apt_stonedrill.yar b/yara/apt_stonedrill.yar index 57b43db..a5baee4 100644 --- a/yara/apt_stonedrill.yar +++ b/yara/apt_stonedrill.yar @@ -62,6 +62,7 @@ rule StoneDrill_main_sub { rule StoneDrill_BAT_1 { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Rule to detect Batch file from StoneDrill report" reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/" @@ -77,6 +78,7 @@ rule StoneDrill_BAT_1 { rule StoneDrill_Service_Install { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Rule to detect Batch file from StoneDrill report" reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/" @@ -92,6 +94,7 @@ rule StoneDrill_Service_Install { rule StoneDrill_ntssrvr32 { meta: description = "Detects malware from StoneDrill threat report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/" date = "2017-03-07" @@ -111,6 +114,7 @@ rule StoneDrill_ntssrvr32 { rule StoneDrill_Malware_2 { meta: description = "Detects malware from StoneDrill threat report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/" date = "2017-03-07" @@ -136,6 +140,7 @@ rule StoneDrill_Malware_2 { rule StoneDrill { meta: description = "Detects malware from StoneDrill threat report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/" date = "2017-03-07" @@ -159,6 +164,7 @@ rule StoneDrill { rule StoneDrill_VBS_1 { meta: description = "Detects malware from StoneDrill threat report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/" date = "2017-03-07" diff --git a/yara/apt_stuxnet.yar b/yara/apt_stuxnet.yar index 83168d9..5c49964 100644 --- a/yara/apt_stuxnet.yar +++ b/yara/apt_stuxnet.yar @@ -10,6 +10,7 @@ rule StuxNet_Malware_1 { meta: description = "Stuxnet Sample - file malware.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" @@ -41,6 +42,7 @@ rule StuxNet_Malware_1 { rule Stuxnet_Malware_2 { meta: description = "Stuxnet Sample - file 63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" @@ -55,6 +57,7 @@ rule Stuxnet_Malware_2 { rule StuxNet_dll { meta: description = "Stuxnet Sample - file dll.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" @@ -68,6 +71,7 @@ rule StuxNet_dll { rule Stuxnet_Shortcut_to { meta: description = "Stuxnet Sample - file Copy of Shortcut to.lnk" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" @@ -81,6 +85,7 @@ rule Stuxnet_Shortcut_to { rule Stuxnet_Malware_3 { meta: description = "Stuxnet Sample - file ~WTR4141.tmp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" @@ -102,6 +107,7 @@ rule Stuxnet_Malware_3 { rule Stuxnet_Malware_4 { meta: description = "Stuxnet Sample - file 0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" @@ -118,6 +124,7 @@ rule Stuxnet_Malware_4 { rule Stuxnet_maindll_decrypted_unpacked { meta: description = "Stuxnet Sample - file maindll.decrypted.unpacked.dll_" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" @@ -138,6 +145,7 @@ rule Stuxnet_maindll_decrypted_unpacked { rule Stuxnet_s7hkimdb { meta: description = "Stuxnet Sample - file s7hkimdb.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" diff --git a/yara/apt_suckfly.yar b/yara/apt_suckfly.yar index ce75416..0ddb2a9 100644 --- a/yara/apt_suckfly.yar +++ b/yara/apt_suckfly.yar @@ -14,6 +14,7 @@ import "pe" rule Suckfly_Nidiran_Gen_1 { meta: description = "Detects Suckfly Nidiran Trojan" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" date = "2018-01-28" @@ -29,6 +30,7 @@ rule Suckfly_Nidiran_Gen_1 { rule Suckfly_Nidiran_Gen_2 { meta: description = "Detects Suckfly Nidiran Trojan" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" date = "2018-01-28" @@ -57,6 +59,7 @@ rule Suckfly_Nidiran_Gen_2 { rule Suckfly_Nidiran_Gen_3 { meta: description = "Detects Suckfly Nidiran Trojan" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" date = "2018-01-28" diff --git a/yara/apt_ta17_293A.yar b/yara/apt_ta17_293A.yar index c1a7463..5dd38e8 100644 --- a/yara/apt_ta17_293A.yar +++ b/yara/apt_ta17_293A.yar @@ -143,6 +143,7 @@ rule TA17_293A_Query_Javascript_Decode_Function { rule TA17_293A_Hacktool_PS_1 { meta: description = "Auto-generated rule - file 72a28efb6e32e653b656ca32ccd44b3111145a695f6f6161965deebbdc437076" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A" date = "2017-10-21" @@ -157,6 +158,7 @@ rule TA17_293A_Hacktool_PS_1 { rule TA17_293A_Hacktool_Touch_MAC_modification { meta: description = "Auto-generated rule - file 070d7082a5abe1112615877214ec82241fd17e5bd465e24d794a470f699af88e" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A" date = "2017-10-21" @@ -173,6 +175,7 @@ rule TA17_293A_Hacktool_Touch_MAC_modification { rule TA17_293A_Hacktool_Exploit_MS16_032 { meta: description = "Auto-generated rule - file 9b97290300abb68fb48480718e6318ee2cdd4f099aa6438010fb2f44803e0b58" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A" date = "2017-10-21" @@ -191,6 +194,7 @@ rule TA17_293A_Hacktool_Exploit_MS16_032 { rule Imphash_UPX_Packed_Malware_1_TA17_293A { meta: description = "Detects malware based on Imphash of malware used in TA17-293A" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A" date = "2017-10-21" @@ -202,6 +206,7 @@ rule Imphash_UPX_Packed_Malware_1_TA17_293A { rule Imphash_Malware_2_TA17_293A { meta: description = "Detects malware based on Imphash of malware used in TA17-293A" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A" date = "2017-10-21" diff --git a/yara/apt_ta17_318A.yar b/yara/apt_ta17_318A.yar index d120dcd..3d9d8f8 100644 --- a/yara/apt_ta17_318A.yar +++ b/yara/apt_ta17_318A.yar @@ -49,6 +49,7 @@ import "pe" rule HiddenCobra_FallChill_1 { meta: description = "Auto-generated rule - file a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA17-318A" date = "2017-11-15" @@ -75,6 +76,7 @@ rule HiddenCobra_FallChill_1 { rule HiddenCobra_FallChill_2 { meta: description = "Auto-generated rule - file 0a118eb23399000d148186b9079fa59caf4c3faa7e7a8f91533e467ac9b6ff41" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA17-318A" date = "2017-11-15" diff --git a/yara/apt_ta17_318B.yar b/yara/apt_ta17_318B.yar index 4bd47b3..936bbb8 100644 --- a/yara/apt_ta17_318B.yar +++ b/yara/apt_ta17_318B.yar @@ -33,6 +33,7 @@ import "pe" rule Volgmer_Malware { meta: description = "Detects Volgmer malware as reported in US CERT TA17-318B" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA17-318B" date = "2017-11-15" diff --git a/yara/apt_ta18_074A.yar b/yara/apt_ta18_074A.yar index 12ec39f..ec8bf4a 100644 --- a/yara/apt_ta18_074A.yar +++ b/yara/apt_ta18_074A.yar @@ -58,6 +58,7 @@ rule z_webshell { rule TA18_074A_screen { meta: description = "Detects malware mentioned in TA18-074A" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA18-074A" date = "2018-03-16" @@ -75,6 +76,7 @@ rule TA18_074A_screen { rule TA18_074A_scripts { meta: description = "Detects malware mentioned in TA18-074A" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA18-074A" date = "2018-03-16" diff --git a/yara/apt_ta18_149A.yar b/yara/apt_ta18_149A.yar index defde32..0f0c8e0 100644 --- a/yara/apt_ta18_149A.yar +++ b/yara/apt_ta18_149A.yar @@ -13,6 +13,7 @@ import "pe" rule APT_TA18_149A_Joanap_Sample1 { meta: description = "Detects malware from TA18-149A report by US-CERT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA18-149A" date = "2018-05-30" @@ -34,6 +35,7 @@ rule APT_TA18_149A_Joanap_Sample1 { rule APT_TA18_149A_Joanap_Sample2 { meta: description = "Detects malware from TA18-149A report by US-CERT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA18-149A" date = "2018-05-30" @@ -53,6 +55,7 @@ rule APT_TA18_149A_Joanap_Sample2 { rule APT_TA18_149A_Joanap_Sample3 { meta: description = "Detects malware from TA18-149A report by US-CERT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.us-cert.gov/ncas/alerts/TA18-149A" date = "2018-05-30" diff --git a/yara/apt_ta459.yar b/yara/apt_ta459.yar index 070c4b9..69766f7 100644 --- a/yara/apt_ta459.yar +++ b/yara/apt_ta459.yar @@ -12,6 +12,7 @@ rule TA459_Malware_May17_1 { meta: description = "Detects TA459 related malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/RLf9qU" date = "2017-05-31" @@ -26,6 +27,7 @@ rule TA459_Malware_May17_1 { rule TA459_Malware_May17_2 { meta: description = "Detects TA459 related malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/RLf9qU" date = "2017-05-31" diff --git a/yara/apt_telebots.yar b/yara/apt_telebots.yar index 9749171..6d8515f 100644 --- a/yara/apt_telebots.yar +++ b/yara/apt_telebots.yar @@ -10,6 +10,7 @@ rule TeleBots_IntercepterNG { meta: description = "Detects TeleBots malware - IntercepterNG" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4if3HG" date = "2016-12-14" @@ -30,6 +31,7 @@ rule TeleBots_IntercepterNG { rule TeleBots_KillDisk_1 { meta: description = "Detects TeleBots malware - KillDisk" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4if3HG" date = "2016-12-14" @@ -49,6 +51,7 @@ rule TeleBots_KillDisk_1 { rule TeleBots_KillDisk_2 { meta: description = "Detects TeleBots malware - KillDisk" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4if3HG" date = "2016-12-14" @@ -64,6 +67,7 @@ rule TeleBots_KillDisk_2 { rule TeleBots_CredRaptor_Password_Stealer { meta: description = "Detects TeleBots malware - CredRaptor Password Stealer" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4if3HG" date = "2016-12-14" @@ -82,6 +86,7 @@ rule TeleBots_CredRaptor_Password_Stealer { rule TeleBots_VBS_Backdoor_1 { meta: description = "Detects TeleBots malware - VBS Backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4if3HG" date = "2016-12-14" @@ -98,6 +103,7 @@ rule TeleBots_VBS_Backdoor_1 { rule TeleBots_VBS_Backdoor_2 { meta: description = "Detects TeleBots malware - VBS Backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4if3HG" date = "2016-12-14" @@ -113,6 +119,7 @@ rule TeleBots_VBS_Backdoor_2 { rule TeleBots_Win64_Spy_KeyLogger_G { meta: description = "Detects TeleBots malware - Win64 Spy KeyLogger G" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4if3HG" date = "2016-12-14" diff --git a/yara/apt_terracotta.yar b/yara/apt_terracotta.yar index e46013c..4dc4338 100644 --- a/yara/apt_terracotta.yar +++ b/yara/apt_terracotta.yar @@ -11,6 +11,7 @@ rule Apolmy_Privesc_Trojan { meta: description = "Apolmy Privilege Escalation Trojan used in APT Terracotta" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/" date = "2015-08-04" @@ -27,6 +28,7 @@ rule Apolmy_Privesc_Trojan { rule Mithozhan_Trojan { meta: description = "Mitozhan Trojan used in APT Terracotta" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/" date = "2015-08-04" @@ -43,6 +45,7 @@ rule Mithozhan_Trojan { rule RemoteExec_Tool { meta: description = "Remote Access Tool used in APT Terracotta" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/" date = "2015-08-04" @@ -63,6 +66,7 @@ rule RemoteExec_Tool { rule LiuDoor_Malware_1 { meta: description = "Liudoor Trojan used in Terracotta APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/" date = "2015-08-04" @@ -83,6 +87,7 @@ rule LiuDoor_Malware_1 { rule LiuDoor_Malware_2 { meta: description = "Liudoor Trojan used in Terracotta APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/" date = "2015-08-04" diff --git a/yara/apt_threatgroup_3390.yar b/yara/apt_threatgroup_3390.yar index cd3e15b..02d5b2b 100644 --- a/yara/apt_threatgroup_3390.yar +++ b/yara/apt_threatgroup_3390.yar @@ -8,6 +8,7 @@ rule HttpBrowser_RAT_dropper_Gen1 { meta: description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" @@ -48,6 +49,7 @@ rule HttpBrowser_RAT_dropper_Gen1 { rule HttpBrowser_RAT_Sample1 { meta: description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" @@ -63,6 +65,7 @@ rule HttpBrowser_RAT_Sample1 { rule HttpBrowser_RAT_Sample2 { meta: description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" @@ -80,6 +83,7 @@ rule HttpBrowser_RAT_Sample2 { rule HttpBrowser_RAT_Gen { meta: description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" @@ -118,6 +122,7 @@ rule HttpBrowser_RAT_Gen { rule PlugX_NvSmartMax_Gen { meta: description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" @@ -146,6 +151,7 @@ rule PlugX_NvSmartMax_Gen { rule HttpBrowser_RAT_dropper_Gen2 { meta: description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" @@ -173,6 +179,7 @@ rule HttpBrowser_RAT_dropper_Gen2 { rule ThreatGroup3390_Strings { meta: description = "Threat Group 3390 APT - Strings" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" @@ -190,6 +197,7 @@ rule ThreatGroup3390_Strings { rule ThreatGroup3390_C2 { meta: description = "Threat Group 3390 APT - C2 Server" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" diff --git a/yara/apt_thrip.yar b/yara/apt_thrip.yar index fec7dd3..d77ed8b 100644 --- a/yara/apt_thrip.yar +++ b/yara/apt_thrip.yar @@ -13,6 +13,7 @@ import "pe" rule APT_Thrip_Sample_Jun18_1 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -29,6 +30,7 @@ rule APT_Thrip_Sample_Jun18_1 { rule APT_Thrip_Sample_Jun18_2 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -44,6 +46,7 @@ rule APT_Thrip_Sample_Jun18_2 { rule APT_Thrip_Sample_Jun18_3 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -58,6 +61,7 @@ rule APT_Thrip_Sample_Jun18_3 { rule APT_Thrip_Sample_Jun18_4 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -79,6 +83,7 @@ rule APT_Thrip_Sample_Jun18_4 { rule APT_Thrip_Sample_Jun18_5 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -93,6 +98,7 @@ rule APT_Thrip_Sample_Jun18_5 { rule APT_Thrip_Sample_Jun18_6 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -106,6 +112,7 @@ rule APT_Thrip_Sample_Jun18_6 { rule APT_Thrip_Sample_Jun18_7 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -119,6 +126,7 @@ rule APT_Thrip_Sample_Jun18_7 { rule APT_Thrip_Sample_Jun18_8 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -134,6 +142,7 @@ rule APT_Thrip_Sample_Jun18_8 { rule APT_Thrip_Sample_Jun18_9 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -154,6 +163,7 @@ rule APT_Thrip_Sample_Jun18_9 { rule APT_Thrip_Sample_Jun18_10 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -171,6 +181,7 @@ rule APT_Thrip_Sample_Jun18_10 { rule APT_Thrip_Sample_Jun18_11 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -190,6 +201,7 @@ rule APT_Thrip_Sample_Jun18_11 { rule APT_Thrip_Sample_Jun18_12 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -212,6 +224,7 @@ rule APT_Thrip_Sample_Jun18_12 { rule APT_Thrip_Sample_Jun18_13 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -230,6 +243,7 @@ rule APT_Thrip_Sample_Jun18_13 { rule APT_Thrip_Sample_Jun18_14 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -250,6 +264,7 @@ rule APT_Thrip_Sample_Jun18_14 { rule APT_Thrip_Sample_Jun18_15 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -271,6 +286,7 @@ rule APT_Thrip_Sample_Jun18_15 { rule APT_Thrip_Sample_Jun18_16 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -287,6 +303,7 @@ rule APT_Thrip_Sample_Jun18_16 { rule APT_Thrip_Sample_Jun18_17 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" @@ -311,6 +328,7 @@ rule APT_Thrip_Sample_Jun18_17 { rule APT_Thrip_Sample_Jun18_18 { meta: description = "Detects sample found in Thrip report by Symantec " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets " date = "2018-06-21" diff --git a/yara/apt_tick_datper.yar b/yara/apt_tick_datper.yar index e7f103a..eaa2e78 100644 --- a/yara/apt_tick_datper.yar +++ b/yara/apt_tick_datper.yar @@ -13,6 +13,7 @@ import "pe" rule Datper_Backdoor { meta: description = "Detects Datper Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" date = "2017-08-21" diff --git a/yara/apt_tick_weaponized_usb.yar b/yara/apt_tick_weaponized_usb.yar index 4675a77..0f7ed45 100644 --- a/yara/apt_tick_weaponized_usb.yar +++ b/yara/apt_tick_weaponized_usb.yar @@ -13,6 +13,7 @@ import "pe" rule APT_Tick_Sysmon_Loader_Jun18 { meta: description = "Detects Sysmon Loader from Tick group incident - Weaponized USB" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/" date = "2018-06-23" @@ -38,6 +39,7 @@ rule APT_Tick_Sysmon_Loader_Jun18 { rule APT_Tick_HomamDownloader_Jun18 { meta: description = "Detects HomamDownloader from Tick group incident - Weaponized USB" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/" date = "2018-06-23" diff --git a/yara/apt_tidepool.yar b/yara/apt_tidepool.yar index e2e4c9c..93b7968 100644 --- a/yara/apt_tidepool.yar +++ b/yara/apt_tidepool.yar @@ -8,6 +8,7 @@ rule TidePool_Malware { meta: description = "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/m2CXWR" date = "2016-05-24" diff --git a/yara/apt_tophat.yar b/yara/apt_tophat.yar index 17678e6..9c1946a 100644 --- a/yara/apt_tophat.yar +++ b/yara/apt_tophat.yar @@ -13,6 +13,7 @@ import "pe" rule TopHat_Malware_Jan18_1 { meta: description = "Detects malware from TopHat campaign" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix" date = "2018-01-29" @@ -36,6 +37,7 @@ rule TopHat_Malware_Jan18_1 { rule TopHat_Malware_Jan18_2 { meta: description = "Auto-generated rule - file e.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix" date = "2018-01-29" @@ -57,6 +59,7 @@ rule TopHat_Malware_Jan18_2 { rule TopHat_BAT { meta: description = "Auto-generated rule - file cgen.bat" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix" date = "2018-01-29" diff --git a/yara/apt_triton.yar b/yara/apt_triton.yar index 5d5fb3d..e9e8bbc 100644 --- a/yara/apt_triton.yar +++ b/yara/apt_triton.yar @@ -69,6 +69,7 @@ rule TRITON_ICS_FRAMEWORK { rule Triton_trilog { meta: description = "Detects Triton APT malware - file trilog.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/vtQoCQ" date = "2017-12-14" diff --git a/yara/apt_turla.yar b/yara/apt_turla.yar index 0903490..2cfa6b2 100644 --- a/yara/apt_turla.yar +++ b/yara/apt_turla.yar @@ -10,6 +10,7 @@ rule Turla_APT_srsvc { meta: description = "Detects Turla malware (based on sample used in the RUAG APT case)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" family = "Turla" reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case" @@ -31,6 +32,7 @@ rule Turla_APT_srsvc { rule Turla_APT_Malware_Gen1 { meta: description = "Detects Turla malware (based on sample used in the RUAG APT case)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" family = "Turla" reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case" @@ -69,6 +71,7 @@ rule Turla_APT_Malware_Gen1 { rule Turla_APT_Malware_Gen2 { meta: description = "Detects Turla malware (based on sample used in the RUAG APT case)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" family = "Turla" reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case" @@ -104,6 +107,7 @@ rule Turla_APT_Malware_Gen2 { rule Turla_APT_Malware_Gen3 { meta: description = "Detects Turla malware (based on sample used in the RUAG APT case)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" family = "Turla" reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case" @@ -144,6 +148,7 @@ rule Turla_APT_Malware_Gen3 { rule Turla_Mal_Script_Jan18_1 { meta: description = "Detects Turla malicious script" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://ghostbin.com/paste/jsph7" date = "2018-01-19" @@ -183,6 +188,7 @@ rule Turla_KazuarRAT { rule MAL_Turla_Agent_BTZ { meta: description = "Detects Turla Agent.BTZ" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified" date = "2018-04-12" @@ -213,6 +219,7 @@ rule MAL_Turla_Agent_BTZ { rule MAL_Turla_Sample_May18_1 { meta: description = "Detects Turla samples" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/omri9741/status/991942007701598208" date = "2018-05-03" diff --git a/yara/apt_turla_mosquito.yar b/yara/apt_turla_mosquito.yar index 237ecdb..27027e7 100644 --- a/yara/apt_turla_mosquito.yar +++ b/yara/apt_turla_mosquito.yar @@ -13,6 +13,7 @@ import "pe" rule TurlaMosquito_Mal_1 { meta: description = "Detects malware sample from Turla Mosquito report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" date = "2018-02-22" @@ -30,6 +31,7 @@ rule TurlaMosquito_Mal_1 { rule TurlaMosquito_Mal_2 { meta: description = "Detects malware sample from Turla Mosquito report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" date = "2018-02-22" @@ -50,6 +52,7 @@ rule TurlaMosquito_Mal_2 { rule TurlaMosquito_Mal_3 { meta: description = "Detects malware sample from Turla Mosquito report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" date = "2018-02-22" @@ -73,6 +76,7 @@ rule TurlaMosquito_Mal_3 { rule TurlaMosquito_Mal_4 { meta: description = "Detects malware sample from Turla Mosquito report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" date = "2018-02-22" @@ -84,6 +88,7 @@ rule TurlaMosquito_Mal_4 { rule TurlaMosquito_Mal_5 { meta: description = "Detects malware sample from Turla Mosquito report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" date = "2018-02-22" @@ -95,6 +100,7 @@ rule TurlaMosquito_Mal_5 { rule TurlaMosquito_Mal_6 { meta: description = "Detects malware sample from Turla Mosquito report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" date = "2018-02-22" @@ -117,6 +123,7 @@ rule TurlaMosquito_Mal_6 { rule TurlaMosquito_Mal_7 { meta: description = "Detects malware sample from Turla Mosquito report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" date = "2018-02-22" diff --git a/yara/apt_uboat_rat.yar b/yara/apt_uboat_rat.yar index 8b18518..01da4ce 100644 --- a/yara/apt_uboat_rat.yar +++ b/yara/apt_uboat_rat.yar @@ -9,6 +9,7 @@ rule UBoatRAT { meta: description = "Detects UBoat RAT Samples" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" date = "2017-11-29" @@ -50,6 +51,7 @@ rule UBoatRAT { rule UBoatRAT_Dropper { meta: description = "Detects UBoatRAT Dropper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" date = "2017-11-29" diff --git a/yara/apt_unit78020_malware.yar b/yara/apt_unit78020_malware.yar index a0e7c92..cc01a3b 100644 --- a/yara/apt_unit78020_malware.yar +++ b/yara/apt_unit78020_malware.yar @@ -8,6 +8,7 @@ rule Unit78020_Malware_Gen1 { meta: description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy" date = "2015-09-24" @@ -63,6 +64,7 @@ rule Unit78020_Malware_Gen1 { rule Unit78020_Malware_1 { meta: description = "Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy" date = "2015-09-24" @@ -81,6 +83,7 @@ rule Unit78020_Malware_1 { rule Unit78020_Malware_Gen2 { meta: description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy" date = "2015-09-24" @@ -102,6 +105,7 @@ rule Unit78020_Malware_Gen2 { rule Unit78020_Malware_Gen3 { meta: description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy" date = "2015-09-24" diff --git a/yara/apt_venom_linux_rootkit.yar b/yara/apt_venom_linux_rootkit.yar index 70e4c67..50226f9 100644 --- a/yara/apt_venom_linux_rootkit.yar +++ b/yara/apt_venom_linux_rootkit.yar @@ -10,6 +10,7 @@ rule Venom_Rootkit { meta: description = "Venom Linux Rootkit" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://security.web.cern.ch/security/venom.shtml" date = "2017-01-12" diff --git a/yara/apt_volatile_cedar.yar b/yara/apt_volatile_cedar.yar index 0e96086..5491658 100644 --- a/yara/apt_volatile_cedar.yar +++ b/yara/apt_volatile_cedar.yar @@ -13,6 +13,7 @@ rule Explosive_EXE : APT { rule Explosion_Sample_1 { meta: description = "Explosion/Explosive Malware - Volatile Cedar APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/5vYaNb" date = "2015/04/03" @@ -37,6 +38,7 @@ rule Explosion_Sample_1 { rule Explosion_Sample_2 { meta: description = "Explosion/Explosive Malware - Volatile Cedar APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/5vYaNb" date = "2015/04/03" @@ -54,6 +56,7 @@ rule Explosion_Sample_2 { rule Explosion_Generic_1 { meta: description = "Generic Rule for Explosion/Explosive Malware - Volatile Cedar APT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/04/03" @@ -83,6 +86,7 @@ rule Explosion_Generic_1 { rule Explosive_UA { meta: description = "Explosive Malware Embedded User Agent - Volatile Cedar APT http://goo.gl/HQRCdw" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/HQRCdw" date = "2015/04/03" @@ -97,6 +101,7 @@ rule Explosive_UA { rule Webshell_Caterpillar_ASPX { meta: description = "Volatile Cedar Webshell - from file caterpillar.aspx" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/emons5" date = "2015/04/03" diff --git a/yara/apt_vpnfilter.yar b/yara/apt_vpnfilter.yar index 425d153..c53a26c 100644 --- a/yara/apt_vpnfilter.yar +++ b/yara/apt_vpnfilter.yar @@ -11,6 +11,7 @@ rule MAL_ELF_VPNFilter_1 { meta: description = "dropzone - file f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-05-24" @@ -31,6 +32,7 @@ rule MAL_ELF_VPNFilter_1 { rule MAL_ELF_VPNFilter_2 { meta: description = "dropzone - file 50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-05-24" @@ -46,6 +48,7 @@ rule MAL_ELF_VPNFilter_2 { rule MAL_ELF_VPNFilter_3 { meta: description = "dropzone - file 0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-05-24" @@ -74,6 +77,7 @@ rule MAL_ELF_VPNFilter_3 { rule SUSP_ELF_Tor_Client { meta: description = "dropzone - file afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-05-24" diff --git a/yara/apt_waterbear.yar b/yara/apt_waterbear.yar index 1af3a95..c8d416f 100644 --- a/yara/apt_waterbear.yar +++ b/yara/apt_waterbear.yar @@ -11,6 +11,7 @@ rule Waterbear_1_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -25,6 +26,7 @@ rule Waterbear_1_Jun17 { rule Waterbear_2_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -41,6 +43,7 @@ rule Waterbear_2_Jun17 { rule Waterbear_4_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -64,6 +67,7 @@ rule Waterbear_4_Jun17 { rule Waterbear_5_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -84,6 +88,7 @@ rule Waterbear_5_Jun17 { rule Waterbear_6_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -98,6 +103,7 @@ rule Waterbear_6_Jun17 { rule Waterbear_7_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -115,6 +121,7 @@ rule Waterbear_7_Jun17 { rule Waterbear_8_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -133,6 +140,7 @@ rule Waterbear_8_Jun17 { rule Waterbear_9_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -152,6 +160,7 @@ rule Waterbear_9_Jun17 { rule Waterbear_10_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -167,6 +176,7 @@ rule Waterbear_10_Jun17 { rule Waterbear_11_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -183,6 +193,7 @@ rule Waterbear_11_Jun17 { rule Waterbear_12_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -197,6 +208,7 @@ rule Waterbear_12_Jun17 { rule Waterbear_13_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" @@ -222,6 +234,7 @@ rule Waterbear_13_Jun17 { rule Waterbear_14_Jun17 { meta: description = "Detects malware from Operation Waterbear" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/L9g9eR" date = "2017-06-23" diff --git a/yara/apt_webmonitor_rat.yar b/yara/apt_webmonitor_rat.yar index 9924e14..54938fc 100644 --- a/yara/apt_webmonitor_rat.yar +++ b/yara/apt_webmonitor_rat.yar @@ -1,6 +1,7 @@ rule MAL_WebMonitor_RAT { meta: description = "Detects WebMonitor RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/" date = "2018-04-13" diff --git a/yara/apt_webshell_chinachopper.yar b/yara/apt_webshell_chinachopper.yar index c54f907..515872b 100644 --- a/yara/apt_webshell_chinachopper.yar +++ b/yara/apt_webshell_chinachopper.yar @@ -2,6 +2,7 @@ rule ChinaChopper_Generic { meta: description = "China Chopper Webshells - PHP and ASPX" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf" date = "2015/03/10" diff --git a/yara/apt_wildneutron.yar b/yara/apt_wildneutron.yar index 2474d5f..1323e2e 100644 --- a/yara/apt_wildneutron.yar +++ b/yara/apt_wildneutron.yar @@ -10,6 +10,7 @@ rule WildNeutron_Sample_1 { meta: description = "Wild Neutron APT Sample Rule - file 2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" @@ -34,6 +35,7 @@ rule WildNeutron_Sample_1 { rule WildNeutron_Sample_2 { meta: description = "Wild Neutron APT Sample Rule - file 8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" @@ -55,6 +57,7 @@ rule WildNeutron_Sample_2 { rule WildNeutron_Sample_3 { meta: description = "Wild Neutron APT Sample Rule - file c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" @@ -79,6 +82,7 @@ rule WildNeutron_Sample_3 { rule WildNeutron_Sample_4 { meta: description = "Wild Neutron APT Sample Rule - file b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" @@ -102,6 +106,7 @@ rule WildNeutron_Sample_4 { rule WildNeutron_Sample_5 { meta: description = "Wild Neutron APT Sample Rule - file 1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" @@ -125,6 +130,7 @@ rule WildNeutron_Sample_5 { rule WildNeutron_Sample_6 { meta: description = "Wild Neutron APT Sample Rule - file 4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" @@ -139,6 +145,7 @@ rule WildNeutron_Sample_6 { rule WildNeutron_Sample_7 { meta: description = "Wild Neutron APT Sample Rule - file a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" @@ -164,6 +171,7 @@ rule WildNeutron_Sample_7 { rule subTee_nativecmd { meta: description = "NativeCmd - used by various threat groups" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" @@ -197,6 +205,7 @@ rule subTee_nativecmd { rule WildNeutron_Sample_9 { meta: description = "Wild Neutron APT Sample Rule - file 781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" @@ -218,6 +227,7 @@ rule WildNeutron_Sample_9 { rule WildNeutron_Sample_10 { meta: description = "Wild Neutron APT Sample Rule - file 1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" @@ -262,6 +272,7 @@ rule WildNeutron_Sample_10 { rule WildNeutron_javacpl { meta: description = "Wild Neutron APT Sample Rule" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" diff --git a/yara/apt_wilted_tulip.yar b/yara/apt_wilted_tulip.yar index 6214b52..f0c34c7 100644 --- a/yara/apt_wilted_tulip.yar +++ b/yara/apt_wilted_tulip.yar @@ -13,6 +13,7 @@ import "pe" rule WiltedTulip_Tools_back { meta: description = "Detects Chrome password dumper used in Operation Wilted Tulip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -28,6 +29,7 @@ rule WiltedTulip_Tools_back { rule WiltedTulip_Tools_clrlg { meta: description = "Detects Windows eventlog cleaner used in Operation Wilted Tulip - file clrlg.bat" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -42,6 +44,7 @@ rule WiltedTulip_Tools_clrlg { rule WiltedTulip_powershell { meta: description = "Detects powershell script used in Operation Wilted Tulip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -55,6 +58,7 @@ rule WiltedTulip_powershell { rule WiltedTulip_vminst { meta: description = "Detects malware used in Operation Wilted Tulip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -82,6 +86,7 @@ rule WiltedTulip_vminst { rule WiltedTulip_Windows_UM_Task { meta: description = "Detects a Windows scheduled task as used in Operation Wilted Tulip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -99,6 +104,7 @@ rule WiltedTulip_Windows_UM_Task { rule WiltedTulip_WindowsTask { meta: description = "Detects hack tool used in Operation Wilted Tulip - Windows Tasks" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -118,6 +124,7 @@ rule WiltedTulip_WindowsTask { rule WiltedTulip_tdtess { meta: description = "Detects malicious service used in Operation Wilted Tulip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -135,6 +142,7 @@ rule WiltedTulip_tdtess { rule WiltedTulip_SilverlightMSI { meta: description = "Detects powershell tool call Get_AD_Users_Logon_History used in Operation Wilted Tulip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -151,6 +159,7 @@ rule WiltedTulip_SilverlightMSI { rule WiltedTulip_matryoshka_Injector { meta: description = "Detects hack tool used in Operation Wilted Tulip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -173,6 +182,7 @@ rule WiltedTulip_matryoshka_Injector { rule WiltedTulip_Zpp { meta: description = "Detects hack tool used in Operation Wilted Tulip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -196,6 +206,7 @@ rule WiltedTulip_Zpp { rule WiltedTulip_Netsrv_netsrvs { meta: description = "Detects sample from Operation Wilted Tulip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -221,6 +232,7 @@ rule WiltedTulip_Netsrv_netsrvs { rule WiltedTulip_ReflectiveLoader { meta: description = "Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" @@ -245,6 +257,7 @@ rule WiltedTulip_ReflectiveLoader { rule WiltedTulip_Matryoshka_RAT { meta: description = "Detects Matryoshka RAT used in Operation Wilted Tulip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" diff --git a/yara/apt_win_plugx.yar b/yara/apt_win_plugx.yar index d79e2a2..fb893ac 100644 --- a/yara/apt_win_plugx.yar +++ b/yara/apt_win_plugx.yar @@ -10,6 +10,7 @@ rule PlugX_J16_Gen { meta: description = "Detects PlugX Malware samples from June 2016" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VT Research" date = "2016-06-08" @@ -40,6 +41,7 @@ rule PlugX_J16_Gen { rule PlugX_J16_Gen2 { meta: description = "Detects PlugX Malware Samples from June 2016" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VT Research" date = "2016-06-08" diff --git a/yara/apt_winnti.yar b/yara/apt_winnti.yar index a8ba27b..f1e1d8e 100644 --- a/yara/apt_winnti.yar +++ b/yara/apt_winnti.yar @@ -9,6 +9,7 @@ import "pe" rule Winnti_signing_cert { meta: description = "Detects a signing certificate used by the Winnti APT group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/" date = "2015-10-10" @@ -26,6 +27,7 @@ rule Winnti_signing_cert { rule Winnti_malware_Nsiproxy { meta: description = "Detects a Winnti rootkit" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-10-10" score = 75 @@ -52,6 +54,7 @@ rule Winnti_malware_Nsiproxy { rule Winnti_malware_UpdateDLL { meta: description = "Detects a Winnti malware - Update.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VTI research" date = "2015-10-10" @@ -84,6 +87,7 @@ rule Winnti_malware_UpdateDLL { rule Winnti_malware_FWPK { meta: description = "Detects a Winnti malware - FWPKCLNT.SYS" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VTI research" date = "2015-10-10" @@ -111,6 +115,7 @@ rule Winnti_malware_FWPK { rule Winnti_malware_StreamPortal_Gen { meta: description = "Detects a Winnti malware - Streamportal" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VTI research" date = "2015-10-10" diff --git a/yara/apt_winnti_burning_umbrella.yar b/yara/apt_winnti_burning_umbrella.yar index 30b7038..c1c2fb8 100644 --- a/yara/apt_winnti_burning_umbrella.yar +++ b/yara/apt_winnti_burning_umbrella.yar @@ -13,6 +13,7 @@ import "pe" rule MAL_BurningUmbrella_Sample_1 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -31,6 +32,7 @@ rule MAL_BurningUmbrella_Sample_1 { rule MAL_BurningUmbrella_Sample_2 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -49,6 +51,7 @@ rule MAL_BurningUmbrella_Sample_2 { rule MAL_BurningUmbrella_Sample_3 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -62,6 +65,7 @@ rule MAL_BurningUmbrella_Sample_3 { rule MAL_BurningUmbrella_Sample_4 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -93,6 +97,7 @@ rule MAL_BurningUmbrella_Sample_4 { rule MAL_BurningUmbrella_Sample_6 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -107,6 +112,7 @@ rule MAL_BurningUmbrella_Sample_6 { rule MAL_BurningUmbrella_Sample_7 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -120,6 +126,7 @@ rule MAL_BurningUmbrella_Sample_7 { rule MAL_BurningUmbrella_Sample_8 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -133,6 +140,7 @@ rule MAL_BurningUmbrella_Sample_8 { rule MAL_BurningUmbrella_Sample_10 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -149,6 +157,7 @@ rule MAL_BurningUmbrella_Sample_10 { rule MAL_BurningUmbrella_Sample_11 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -162,6 +171,7 @@ rule MAL_BurningUmbrella_Sample_11 { rule MAL_BurningUmbrella_Sample_12 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -183,6 +193,7 @@ rule MAL_BurningUmbrella_Sample_12 { rule MAL_BurningUmbrella_Sample_13 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -195,6 +206,7 @@ rule MAL_BurningUmbrella_Sample_13 { rule MAL_BurningUmbrella_Sample_14 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -209,6 +221,7 @@ rule MAL_BurningUmbrella_Sample_14 { rule MAL_BurningUmbrella_Sample_15 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -224,6 +237,7 @@ rule MAL_BurningUmbrella_Sample_15 { rule MAL_BurningUmbrella_Sample_16 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -237,6 +251,7 @@ rule MAL_BurningUmbrella_Sample_16 { rule MAL_BurningUmbrella_Sample_17 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -256,6 +271,7 @@ rule MAL_BurningUmbrella_Sample_17 { rule MAL_BurningUmbrella_Sample_18 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -283,6 +299,7 @@ rule MAL_BurningUmbrella_Sample_18 { rule MAL_BurningUmbrella_Sample_19 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -300,6 +317,7 @@ rule MAL_BurningUmbrella_Sample_19 { rule MAL_BurningUmbrella_Sample_20 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -320,6 +338,7 @@ rule MAL_BurningUmbrella_Sample_20 { rule MAL_BurningUmbrella_Sample_21 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -339,6 +358,7 @@ rule MAL_BurningUmbrella_Sample_21 { rule MAL_BurningUmbrella_Sample_22 { meta: description = "Detects malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -358,6 +378,7 @@ rule MAL_BurningUmbrella_Sample_22 { rule MAL_AirdViper_Sample_Apr18_1 { meta: description = "Detects Arid Viper malware sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-05-04" @@ -384,6 +405,7 @@ rule MAL_AirdViper_Sample_Apr18_1 { rule MAL_Winnti_Sample_May18_1 { meta: description = "Detects malware sample from Burning Umbrella report - Generic Winnti Rule" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" @@ -398,6 +420,7 @@ rule MAL_Winnti_Sample_May18_1 { rule MAL_Visel_Sample_May18_1 { meta: description = "Detects Visel malware sample from Burning Umbrella report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://401trg.pw/burning-umbrella/" date = "2018-05-04" diff --git a/yara/apt_winnti_hdroot.yar b/yara/apt_winnti_hdroot.yar index 8fb6f22..9d40c26 100644 --- a/yara/apt_winnti_hdroot.yar +++ b/yara/apt_winnti_hdroot.yar @@ -11,6 +11,7 @@ rule HDRoot_Sample_Jul17_1 { meta: description = "Detects HDRoot samples" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Winnti HDRoot VT" date = "2017-07-07" @@ -26,6 +27,7 @@ rule HDRoot_Sample_Jul17_1 { rule HDRoot_Sample_Jul17_2 { meta: description = "Detects HDRoot samples" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Winnti HDRoot VT" date = "2017-07-07" @@ -62,6 +64,7 @@ rule HDRoot_Sample_Jul17_2 { rule Unspecified_Malware_Jul17_1A { meta: description = "Detects samples of an unspecified malware - July 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Winnti HDRoot VT" date = "2017-07-07" diff --git a/yara/apt_winnti_ms_report_201701.yar b/yara/apt_winnti_ms_report_201701.yar index 94c9942..8577e15 100644 --- a/yara/apt_winnti_ms_report_201701.yar +++ b/yara/apt_winnti_ms_report_201701.yar @@ -10,6 +10,7 @@ rule Winnti_fonfig { meta: description = "Winnti sample - file fonfig.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/VbvJtL" date = "2017-01-25" @@ -24,6 +25,7 @@ rule Winnti_fonfig { rule Winnti_NlaifSvc { meta: description = "Winnti sample - file NlaifSvc.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/VbvJtL" date = "2017-01-25" diff --git a/yara/apt_woolengoldfish.yar b/yara/apt_woolengoldfish.yar index 7ef2fd6..eb937c7 100644 --- a/yara/apt_woolengoldfish.yar +++ b/yara/apt_woolengoldfish.yar @@ -13,6 +13,7 @@ rule WoolenGoldfish_Sample_1 { meta: description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/NpJpVZ" date = "2015/03/25" @@ -28,6 +29,7 @@ rule WoolenGoldfish_Sample_1 { rule WoolenGoldfish_Generic_1 { meta: description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/NpJpVZ" date = "2015/03/25" @@ -58,6 +60,7 @@ rule WoolenGoldfish_Generic_1 { rule WoolenGoldfish_Generic_2 { meta: description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/NpJpVZ" date = "2015/03/25" @@ -75,6 +78,7 @@ rule WoolenGoldfish_Generic_2 { rule WoolenGoldfish_Generic_3 { meta: description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/NpJpVZ" date = "2015/03/25" diff --git a/yara/apt_xrat.yar b/yara/apt_xrat.yar index 14aa774..9cc3820 100644 --- a/yara/apt_xrat.yar +++ b/yara/apt_xrat.yar @@ -12,6 +12,7 @@ rule xRAT_1 { meta: description = "Detects Patchwork malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/Pg3P4W" date = "2017-12-11" diff --git a/yara/apt_zxshell.yar b/yara/apt_zxshell.yar index 7249d2c..80f511e 100644 --- a/yara/apt_zxshell.yar +++ b/yara/apt_zxshell.yar @@ -12,6 +12,7 @@ rule ZxShell_Related_Malware_CN_Group_Jul17_1 { meta: description = "Detects a ZxShell related sample from a CN threat group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blogs.rsa.com/cat-phishing/" date = "2017-07-08" @@ -30,6 +31,7 @@ rule ZxShell_Related_Malware_CN_Group_Jul17_1 { rule ZxShell_Related_Malware_CN_Group_Jul17_2 { meta: description = "Detects a ZxShell related sample from a CN threat group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blogs.rsa.com/cat-phishing/" date = "2017-07-08" @@ -56,6 +58,7 @@ rule ZxShell_Related_Malware_CN_Group_Jul17_2 { rule ZxShell_Related_Malware_CN_Group_Jul17_3 { meta: description = "Detects a ZxShell related sample from a CN threat group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blogs.rsa.com/cat-phishing/" date = "2017-07-08" @@ -70,6 +73,7 @@ rule ZxShell_Related_Malware_CN_Group_Jul17_3 { rule ZxShell_Jul17 { meta: description = "Detects a ZxShell - CN threat group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blogs.rsa.com/cat-phishing/" date = "2017-07-08" @@ -107,6 +111,7 @@ import "pe" rule ZXshell_20171211_chrsben { meta: description = "Detects ZxShell variant surfaced in Dec 17" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/snc85M" date = "2017-12-11" diff --git a/yara/cn_pentestset_scripts.yar b/yara/cn_pentestset_scripts.yar index 2c5534a..cef2ba0 100644 --- a/yara/cn_pentestset_scripts.yar +++ b/yara/cn_pentestset_scripts.yar @@ -8,7 +8,8 @@ rule CN_Honker_mafix_root { meta: description = "Script from disclosed CN Honker Pentest Toolset - file root" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -24,7 +25,8 @@ rule CN_Honker_mafix_root { rule CN_Honker_passwd_dict_3389 { meta: description = "Script from disclosed CN Honker Pentest Toolset - file 3389.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -45,7 +47,8 @@ rule CN_Honker_passwd_dict_3389 { rule CN_Honker_Perl_serv_U { meta: description = "Script from disclosed CN Honker Pentest Toolset - file Perl-serv-U.pl" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -60,7 +63,8 @@ rule CN_Honker_Perl_serv_U { rule CN_Honker_F4ck_Team_f4ck { meta: description = "Script from disclosed CN Honker Pentest Toolset - file f4ck.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -76,7 +80,8 @@ rule CN_Honker_F4ck_Team_f4ck { rule CN_Honker_sig_3389_3389 { meta: description = "Script from disclosed CN Honker Pentest Toolset - file 3389.vbs" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -90,7 +95,8 @@ rule CN_Honker_sig_3389_3389 { rule CN_Honker_sig_3389_3389_2 { meta: description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -105,7 +111,8 @@ rule CN_Honker_sig_3389_3389_2 { rule CN_Honker_Injection_Transit_jmCook { meta: description = "Script from disclosed CN Honker Pentest Toolset - file jmCook.asp" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -120,7 +127,8 @@ rule CN_Honker_Injection_Transit_jmCook { rule CN_Honker_Pwdump7_Pwdump7 { meta: description = "Script from disclosed CN Honker Pentest Toolset - file Pwdump7.bat" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -134,7 +142,8 @@ rule CN_Honker_Pwdump7_Pwdump7 { rule CN_Honker_portRecall_pr { meta: description = "Script from disclosed CN Honker Pentest Toolset - file pr" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -150,7 +159,8 @@ rule CN_Honker_portRecall_pr { rule CN_Honker_sig_3389_3389_3 { meta: description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -166,7 +176,8 @@ rule CN_Honker_sig_3389_3389_3 { rule CN_Honker_Alien_D { meta: description = "Script from disclosed CN Honker Pentest Toolset - file D.ASP" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -184,7 +195,8 @@ rule CN_Honker_Alien_D { rule CN_Honker_ChinaChopper_db { meta: description = "Script from disclosed CN Honker Pentest Toolset - file db.mdb" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -200,7 +212,8 @@ rule CN_Honker_ChinaChopper_db { rule CN_Honker_syconfig { meta: description = "Script from disclosed CN Honker Pentest Toolset - file syconfig.dll" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -214,7 +227,8 @@ rule CN_Honker_syconfig { rule CN_Honker_linux_bin { meta: description = "Script from disclosed CN Honker Pentest Toolset - file linux_bin" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -229,7 +243,8 @@ rule CN_Honker_linux_bin { rule CN_Honker_Intersect2_Beta { meta: description = "Script from disclosed CN Honker Pentest Toolset - file Intersect2-Beta.py" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -245,7 +260,8 @@ rule CN_Honker_Intersect2_Beta { rule CN_Honker_IIS_logcleaner1_0_readme { meta: description = "Script from disclosed CN Honker Pentest Toolset - file readme.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -260,7 +276,8 @@ rule CN_Honker_IIS_logcleaner1_0_readme { rule CN_Honker_Alien_command { meta: description = "Script from disclosed CN Honker Pentest Toolset - file command.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -275,7 +292,8 @@ rule CN_Honker_Alien_command { rule CN_Honker_portRecall_bc { meta: description = "Script from disclosed CN Honker Pentest Toolset - file bc.pl" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -291,7 +309,8 @@ rule CN_Honker_portRecall_bc { rule CN_Honker_Tuoku_script_MSSQL_ { meta: description = "Script from disclosed CN Honker Pentest Toolset - file MSSQL_.asp" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -307,7 +326,8 @@ rule CN_Honker_Tuoku_script_MSSQL_ { rule CN_Honker_nc_MOVE { meta: description = "Script from disclosed CN Honker Pentest Toolset - file MOVE.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 @@ -323,7 +343,8 @@ rule CN_Honker_nc_MOVE { rule CN_Honker_mssqlpw_scan { meta: description = "Script from disclosed CN Honker Pentest Toolset - file mssqlpw scan.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 diff --git a/yara/cn_pentestset_tools.yar b/yara/cn_pentestset_tools.yar index dacacc0..a447c86 100644 --- a/yara/cn_pentestset_tools.yar +++ b/yara/cn_pentestset_tools.yar @@ -10,6 +10,7 @@ rule CN_Honker_MAC_IPMAC { meta: description = "Sample from CN Honker Pentest Toolset - file IPMAC.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -26,6 +27,7 @@ rule CN_Honker_MAC_IPMAC { rule CN_Honker_GetSyskey { meta: description = "Sample from CN Honker Pentest Toolset - file GetSyskey.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -41,6 +43,7 @@ rule CN_Honker_GetSyskey { rule CN_Honker_Churrasco { meta: description = "Sample from CN Honker Pentest Toolset - file Churrasco.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -60,6 +63,7 @@ rule CN_Honker_Churrasco { rule CN_Honker_mysql_injectV1_1_Creak { meta: description = "Sample from CN Honker Pentest Toolset - file mysql_injectV1.1_Creak.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -75,6 +79,7 @@ rule CN_Honker_mysql_injectV1_1_Creak { rule CN_Honker_ASP_wshell { meta: description = "Sample from CN Honker Pentest Toolset - file wshell.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -92,6 +97,7 @@ rule CN_Honker_ASP_wshell { rule CN_Honker_exp_iis7 { meta: description = "Sample from CN Honker Pentest Toolset - file iis7.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -109,6 +115,7 @@ rule CN_Honker_exp_iis7 { rule CN_Honker_SegmentWeapon { meta: description = "Sample from CN Honker Pentest Toolset - file SegmentWeapon.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -124,6 +131,7 @@ rule CN_Honker_SegmentWeapon { rule CN_Honker_Alien_iispwd { meta: description = "Sample from CN Honker Pentest Toolset - file iispwd.vbs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -139,6 +147,7 @@ rule CN_Honker_Alien_iispwd { rule CN_Honker_Md5CrackTools { meta: description = "Sample from CN Honker Pentest Toolset - file Md5CrackTools.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -154,6 +163,7 @@ rule CN_Honker_Md5CrackTools { rule CN_Honker_CoolScan_scan { meta: description = "Sample from CN Honker Pentest Toolset - file scan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -169,6 +179,7 @@ rule CN_Honker_CoolScan_scan { rule CN_Honker_mempodipper2_6 { meta: description = "Sample from CN Honker Pentest Toolset - file mempodipper2.6.39" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -183,6 +194,7 @@ rule CN_Honker_mempodipper2_6 { rule CN_Honker_COOKIE_CooKie { meta: description = "Sample from CN Honker Pentest Toolset - file CooKie.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -198,6 +210,7 @@ rule CN_Honker_COOKIE_CooKie { rule CN_Honker_wwwscan_1_wwwscan { meta: description = "Sample from CN Honker Pentest Toolset - file wwwscan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -213,6 +226,7 @@ rule CN_Honker_wwwscan_1_wwwscan { rule CN_Honker_D_injection_V2_32 { meta: description = "Sample from CN Honker Pentest Toolset - file D_injection_V2.32.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -228,6 +242,7 @@ rule CN_Honker_D_injection_V2_32 { rule CN_Honker_net_priv_esc2 { meta: description = "Sample from CN Honker Pentest Toolset - file net-priv-esc2.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -243,6 +258,7 @@ rule CN_Honker_net_priv_esc2 { rule CN_Honker_Oracle_v1_0_Oracle { meta: description = "Sample from CN Honker Pentest Toolset - file Oracle.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -259,6 +275,7 @@ rule CN_Honker_Oracle_v1_0_Oracle { rule CN_Honker_Interception { meta: description = "Sample from CN Honker Pentest Toolset - file Interception.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -274,6 +291,7 @@ rule CN_Honker_Interception { rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0 { meta: description = "Sample from CN Honker Pentest Toolset - file 3.0.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -290,6 +308,7 @@ rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0 { rule CN_Honker_windows_exp { meta: description = "Sample from CN Honker Pentest Toolset - file exp.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -305,6 +324,7 @@ rule CN_Honker_windows_exp { rule CN_Honker_safe3wvs_cgiscan { meta: description = "Sample from CN Honker Pentest Toolset - file cgiscan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -320,6 +340,7 @@ rule CN_Honker_safe3wvs_cgiscan { rule CN_Honker_pr_debug { meta: description = "Sample from CN Honker Pentest Toolset - file debug.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -335,6 +356,7 @@ rule CN_Honker_pr_debug { rule CN_Honker_T00ls_Lpk_Sethc_v4_0 { meta: description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -350,6 +372,7 @@ rule CN_Honker_T00ls_Lpk_Sethc_v4_0 { rule CN_Honker_MatriXay1073 { meta: description = "Sample from CN Honker Pentest Toolset - file MatriXay1073.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -367,6 +390,7 @@ rule CN_Honker_MatriXay1073 { rule CN_Honker_Sword1_5 { meta: description = "Sample from CN Honker Pentest Toolset - file Sword1.5.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -384,6 +408,7 @@ rule CN_Honker_Sword1_5 { rule CN_Honker_Havij_Havij { meta: description = "Sample from CN Honker Pentest Toolset - file Havij.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -399,6 +424,7 @@ rule CN_Honker_Havij_Havij { rule CN_Honker_exp_ms11011 { meta: description = "Sample from CN Honker Pentest Toolset - file ms11011.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -417,6 +443,7 @@ rule CN_Honker_exp_ms11011 { rule CN_Honker_DLL_passive_privilege_escalation_ws2help { meta: description = "Sample from CN Honker Pentest Toolset - file ws2help.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -432,6 +459,7 @@ rule CN_Honker_DLL_passive_privilege_escalation_ws2help { rule CN_Honker_Webshell { meta: description = "Sample from CN Honker Pentest Toolset - file Webshell.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -448,6 +476,7 @@ rule CN_Honker_Webshell { rule CN_Honker_AspxClient { meta: description = "Sample from CN Honker Pentest Toolset - file AspxClient.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -465,6 +494,7 @@ rule CN_Honker_AspxClient { rule CN_Honker_Fckeditor { meta: description = "Sample from CN Honker Pentest Toolset - file Fckeditor.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -480,6 +510,7 @@ rule CN_Honker_Fckeditor { rule CN_Honker_Codeeer_Explorer { meta: description = "Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -495,6 +526,7 @@ rule CN_Honker_Codeeer_Explorer { rule CN_Honker_SwordHonkerEdition { meta: description = "Sample from CN Honker Pentest Toolset - file SwordHonkerEdition.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -511,6 +543,7 @@ rule CN_Honker_SwordHonkerEdition { rule CN_Honker_HASH_PwDump7 { meta: description = "Sample from CN Honker Pentest Toolset - file PwDump7.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -528,6 +561,7 @@ rule CN_Honker_HASH_PwDump7 { rule CN_Honker_ChinaChopper { meta: description = "Sample from CN Honker Pentest Toolset - file ChinaChopper.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -544,6 +578,7 @@ rule CN_Honker_ChinaChopper { rule CN_Honker_dedecms5_7 { meta: description = "Sample from CN Honker Pentest Toolset - file dedecms5.7.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -559,6 +594,7 @@ rule CN_Honker_dedecms5_7 { rule CN_Honker_Alien_ee { meta: description = "Sample from CN Honker Pentest Toolset - file ee.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -574,6 +610,7 @@ rule CN_Honker_Alien_ee { rule CN_Honker_smsniff_smsniff { meta: description = "Sample from CN Honker Pentest Toolset - file smsniff.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -589,6 +626,7 @@ rule CN_Honker_smsniff_smsniff { rule CN_Honker_Happy_Happy { meta: description = "Sample from CN Honker Pentest Toolset - file Happy.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -606,6 +644,7 @@ rule CN_Honker_Happy_Happy { rule CN_Honker_T00ls_Lpk_Sethc_v3_0 { meta: description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -622,6 +661,7 @@ rule CN_Honker_T00ls_Lpk_Sethc_v3_0 { rule CN_Honker_NetFuke_NetFuke { meta: description = "Sample from CN Honker Pentest Toolset - file NetFuke.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -637,6 +677,7 @@ rule CN_Honker_NetFuke_NetFuke { rule CN_Honker_ManualInjection { meta: description = "Sample from CN Honker Pentest Toolset - file ManualInjection.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -652,6 +693,7 @@ rule CN_Honker_ManualInjection { rule CN_Honker_CnCerT_CCdoor_CMD { meta: description = "Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -669,6 +711,7 @@ rule CN_Honker_CnCerT_CCdoor_CMD { rule CN_Honker_termsrvhack { meta: description = "Sample from CN Honker Pentest Toolset - file termsrvhack.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -684,6 +727,7 @@ rule CN_Honker_termsrvhack { rule CN_Honker_IIS6_iis6 { meta: description = "Sample from CN Honker Pentest Toolset - file iis6.com" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -701,6 +745,7 @@ rule CN_Honker_IIS6_iis6 { rule CN_Honker_struts2_catbox { meta: description = "Sample from CN Honker Pentest Toolset - file catbox.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -716,6 +761,7 @@ rule CN_Honker_struts2_catbox { rule CN_Honker_getlsasrvaddr { meta: description = "Sample from CN Honker Pentest Toolset - file getlsasrvaddr.exe - WCE Amplia Security" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -732,6 +778,7 @@ rule CN_Honker_getlsasrvaddr { rule CN_Honker_ms10048_x64 { meta: description = "Sample from CN Honker Pentest Toolset - file ms10048-x64.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -747,6 +794,7 @@ rule CN_Honker_ms10048_x64 { rule CN_Honker_LogCleaner { meta: description = "Sample from CN Honker Pentest Toolset - file LogCleaner.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -762,6 +810,7 @@ rule CN_Honker_LogCleaner { rule CN_Honker_shell_brute_tool { meta: description = "Sample from CN Honker Pentest Toolset - file shell_brute_tool.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -777,6 +826,7 @@ rule CN_Honker_shell_brute_tool { rule CN_Honker_hxdef100 { meta: description = "Sample from CN Honker Pentest Toolset - file hxdef100.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -793,6 +843,7 @@ rule CN_Honker_hxdef100 { rule CN_Honker_Arp_EMP_v1_0 { meta: description = "Sample from CN Honker Pentest Toolset - file Arp EMP v1.0.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -807,6 +858,7 @@ rule CN_Honker_Arp_EMP_v1_0 { rule CN_Honker_GetWebShell { meta: description = "Sample from CN Honker Pentest Toolset - file GetWebShell.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -824,6 +876,7 @@ rule CN_Honker_GetWebShell { rule CN_Honker_Cracker_SHELL { meta: description = "Sample from CN Honker Pentest Toolset - file SHELL.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -841,6 +894,7 @@ rule CN_Honker_Cracker_SHELL { rule CN_Honker_MSTSC_can_direct_copy { meta: description = "Sample from CN Honker Pentest Toolset - file MSTSC_can_direct_copy.EXE" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -857,6 +911,7 @@ rule CN_Honker_MSTSC_can_direct_copy { rule CN_Honker_lcx_lcx { meta: description = "Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -875,6 +930,7 @@ rule CN_Honker_lcx_lcx { rule CN_Honker_PostgreSQL { meta: description = "Sample from CN Honker Pentest Toolset - file PostgreSQL.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -890,6 +946,7 @@ rule CN_Honker_PostgreSQL { rule CN_Honker_WebRobot { meta: description = "Sample from CN Honker Pentest Toolset - file WebRobot.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -906,6 +963,7 @@ rule CN_Honker_WebRobot { rule CN_Honker_Baidu_Extractor_Ver1_0 { meta: description = "Sample from CN Honker Pentest Toolset - file Baidu_Extractor_Ver1.0.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -923,6 +981,7 @@ rule CN_Honker_Baidu_Extractor_Ver1_0 { rule CN_Honker_FTP_scanning { meta: description = "Sample from CN Honker Pentest Toolset - file FTP_scanning.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -940,6 +999,7 @@ rule CN_Honker_FTP_scanning { rule CN_Honker_dirdown_dirdown { meta: description = "Sample from CN Honker Pentest Toolset - file dirdown.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -956,6 +1016,7 @@ rule CN_Honker_dirdown_dirdown { rule CN_Honker_Xiaokui_conversion_tool { meta: description = "Sample from CN Honker Pentest Toolset - file Xiaokui_conversion_tool.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -972,6 +1033,7 @@ rule CN_Honker_Xiaokui_conversion_tool { rule CN_Honker_GroupPolicyRemover { meta: description = "Sample from CN Honker Pentest Toolset - file GroupPolicyRemover.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -988,6 +1050,7 @@ rule CN_Honker_GroupPolicyRemover { rule CN_Honker_WordpressScanner { meta: description = "Sample from CN Honker Pentest Toolset - file WordpressScanner.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1005,6 +1068,7 @@ rule CN_Honker_WordpressScanner { rule CN_Honker_Htran_V2_40_htran20 { meta: description = "Sample from CN Honker Pentest Toolset - file htran20.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1024,6 +1088,7 @@ rule CN_Honker_Htran_V2_40_htran20 { rule CN_Honker_DictionaryGenerator { meta: description = "Sample from CN Honker Pentest Toolset - file DictionaryGenerator.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1039,6 +1104,7 @@ rule CN_Honker_DictionaryGenerator { rule CN_Honker_ms11080_withcmd { meta: description = "Sample from CN Honker Pentest Toolset - file ms11080_withcmd.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1054,6 +1120,7 @@ rule CN_Honker_ms11080_withcmd { rule CN_Honker_T00ls_Lpk_Sethc_v2 { meta: description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1070,6 +1137,7 @@ rule CN_Honker_T00ls_Lpk_Sethc_v2 { rule CN_Honker_HASH_32 { meta: description = "Sample from CN Honker Pentest Toolset - file 32.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1086,6 +1154,7 @@ rule CN_Honker_HASH_32 { rule CN_Honker_windows_mstsc_enhanced_RMDSTC { meta: description = "Sample from CN Honker Pentest Toolset - file RMDSTC.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1101,6 +1170,7 @@ rule CN_Honker_windows_mstsc_enhanced_RMDSTC { rule CN_Honker_sig_3389_mstsc_MSTSCAX { meta: description = "Sample from CN Honker Pentest Toolset - file MSTSCAX.DLL" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1117,6 +1187,7 @@ rule CN_Honker_sig_3389_mstsc_MSTSCAX { rule CN_Honker_T00ls_scanner { meta: description = "Sample from CN Honker Pentest Toolset - file T00ls_scanner.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1132,6 +1203,7 @@ rule CN_Honker_T00ls_scanner { rule CN_Honker_GetHashes { meta: description = "Sample from CN Honker Pentest Toolset - file GetHashes.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1148,6 +1220,7 @@ rule CN_Honker_GetHashes { rule CN_Honker_hashq_Hashq { meta: description = "Sample from CN Honker Pentest Toolset - file Hashq.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1164,6 +1237,7 @@ rule CN_Honker_hashq_Hashq { rule CN_Honker_ShiftBackdoor_Server { meta: description = "Sample from CN Honker Pentest Toolset - file Server.dat" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1181,6 +1255,7 @@ rule CN_Honker_ShiftBackdoor_Server { rule CN_Honker_exp_win2003 { meta: description = "Sample from CN Honker Pentest Toolset - file win2003.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1197,6 +1272,7 @@ rule CN_Honker_exp_win2003 { rule CN_Honker_Interception3389_setup { meta: description = "Sample from CN Honker Pentest Toolset - file setup.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1215,6 +1291,7 @@ rule CN_Honker_Interception3389_setup { rule CN_Honker_CnCerT_CCdoor_CMD_2 { meta: description = "Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll2" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1232,6 +1309,7 @@ rule CN_Honker_CnCerT_CCdoor_CMD_2 { rule CN_Honker_exp_ms11046 { meta: description = "Sample from CN Honker Pentest Toolset - file ms11046.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1249,6 +1327,7 @@ rule CN_Honker_exp_ms11046 { rule CN_Honker_Master_beta_1_7 { meta: description = "Sample from CN Honker Pentest Toolset - file Master_beta_1.7.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1264,6 +1343,7 @@ rule CN_Honker_Master_beta_1_7 { rule CN_Honker_F4ck_Team_f4ck_2 { meta: description = "Sample from CN Honker Pentest Toolset - file f4ck_2.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1282,6 +1362,7 @@ rule CN_Honker_F4ck_Team_f4ck_2 { rule CN_Honker_sig_3389_80_AntiFW { meta: description = "Sample from CN Honker Pentest Toolset - file AntiFW.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1300,6 +1381,7 @@ rule CN_Honker_sig_3389_80_AntiFW { rule CN_Honker_wwwscan_gui { meta: description = "Sample from CN Honker Pentest Toolset - file wwwscan_gui.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1315,6 +1397,7 @@ rule CN_Honker_wwwscan_gui { rule CN_Honker_SwordCollEdition { meta: description = "Sample from CN Honker Pentest Toolset - file SwordCollEdition.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1330,6 +1413,7 @@ rule CN_Honker_SwordCollEdition { rule CN_Honker_HconSTFportable { meta: description = "Sample from CN Honker Pentest Toolset - file HconSTFportable.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1345,6 +1429,7 @@ rule CN_Honker_HconSTFportable { rule CN_Honker_T00ls_Lpk_Sethc_v3_LPK { meta: description = "Sample from CN Honker Pentest Toolset - file LPK.DAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1362,6 +1447,7 @@ rule CN_Honker_T00ls_Lpk_Sethc_v3_LPK { rule CN_Honker_Without_a_trace_Wywz { meta: description = "Sample from CN Honker Pentest Toolset - file Wywz.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1378,6 +1464,7 @@ rule CN_Honker_Without_a_trace_Wywz { rule CN_Honker_LPK2_0_LPK { meta: description = "Sample from CN Honker Pentest Toolset - file LPK.DAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1395,6 +1482,7 @@ rule CN_Honker_LPK2_0_LPK { rule CN_Honker_cleaniis { meta: description = "Sample from CN Honker Pentest Toolset - file cleaniis.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1410,6 +1498,7 @@ rule CN_Honker_cleaniis { rule CN_Honker_arp3_7_arp3_7 { meta: description = "Sample from CN Honker Pentest Toolset - file arp3.7.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1425,6 +1514,7 @@ rule CN_Honker_arp3_7_arp3_7 { rule CN_Honker_exp_ms11080 { meta: description = "Sample from CN Honker Pentest Toolset - file ms11080.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1440,6 +1530,7 @@ rule CN_Honker_exp_ms11080 { rule CN_Honker_Injection_transit { meta: description = "Sample from CN Honker Pentest Toolset - file Injection_transit.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1456,6 +1547,7 @@ rule CN_Honker_Injection_transit { rule CN_Honker_Safe3WVS { meta: description = "Sample from CN Honker Pentest Toolset - file Safe3WVS.EXE" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1474,6 +1566,7 @@ rule CN_Honker_Safe3WVS { rule CN_Honker_NBSI_3_0 { meta: description = "Sample from CN Honker Pentest Toolset - file NBSI 3.0.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1491,6 +1584,7 @@ rule CN_Honker_NBSI_3_0 { rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_2_0 { meta: description = "Sample from CN Honker Pentest Toolset - file 2.0.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1507,6 +1601,7 @@ rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_2_0 { rule CN_Honker_hkmjjiis6 { meta: description = "Sample from CN Honker Pentest Toolset - file hkmjjiis6.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1523,6 +1618,7 @@ rule CN_Honker_hkmjjiis6 { rule CN_Honker_clearlogs { meta: description = "Sample from CN Honker Pentest Toolset - file clearlogs.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1538,6 +1634,7 @@ rule CN_Honker_clearlogs { rule CN_Honker_no_net_priv_esc_AddUser { meta: description = "Sample from CN Honker Pentest Toolset - file AddUser.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1554,6 +1651,7 @@ rule CN_Honker_no_net_priv_esc_AddUser { rule CN_Honker_Injection { meta: description = "Sample from CN Honker Pentest Toolset - file Injection.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1569,6 +1667,7 @@ rule CN_Honker_Injection { rule CN_Honker_SQLServer_inject_Creaked { meta: description = "Sample from CN Honker Pentest Toolset - file SQLServer_inject_Creaked.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1584,6 +1683,7 @@ rule CN_Honker_SQLServer_inject_Creaked { rule CN_Honker_WebScan_WebScan { meta: description = "Sample from CN Honker Pentest Toolset - file WebScan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1599,6 +1699,7 @@ rule CN_Honker_WebScan_WebScan { rule CN_Honker_GetHashes_2 { meta: description = "Sample from CN Honker Pentest Toolset - file GetHashes.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1615,6 +1716,7 @@ rule CN_Honker_GetHashes_2 { rule CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen { meta: description = "Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1631,6 +1733,7 @@ rule CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen rule CN_Honker_Tuoku_script_oracle_2 { meta: description = "Sample from CN Honker Pentest Toolset - file oracle.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1646,6 +1749,7 @@ rule CN_Honker_Tuoku_script_oracle_2 { rule CN_Honker_net_packet_capt { meta: description = "Sample from CN Honker Pentest Toolset - file net_packet_capt.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1664,6 +1768,7 @@ rule CN_Honker_net_packet_capt { rule CN_Honker_CleanIISLog { meta: description = "Sample from CN Honker Pentest Toolset - file CleanIISLog.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1678,6 +1783,7 @@ rule CN_Honker_CleanIISLog { rule CN_Honker_HASH_pwhash { meta: description = "Sample from CN Honker Pentest Toolset - file pwhash.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1693,6 +1799,7 @@ rule CN_Honker_HASH_pwhash { rule CN_Honker_cleaner_cl_2 { meta: description = "Sample from CN Honker Pentest Toolset - file cl.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1708,6 +1815,7 @@ rule CN_Honker_cleaner_cl_2 { rule CN_Honker_SqlMap_Python_Run { meta: description = "Sample from CN Honker Pentest Toolset - file Run.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1724,6 +1832,7 @@ rule CN_Honker_SqlMap_Python_Run { rule CN_Honker_SAMInside { meta: description = "Sample from CN Honker Pentest Toolset - file SAMInside.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1739,6 +1848,7 @@ rule CN_Honker_SAMInside { rule CN_Honker_WebScan_wwwscan { meta: description = "Sample from CN Honker Pentest Toolset - file wwwscan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1755,6 +1865,7 @@ rule CN_Honker_WebScan_wwwscan { rule CN_Honker_sig_3389_2_3389 { meta: description = "Sample from CN Honker Pentest Toolset - file 3389.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1771,6 +1882,7 @@ rule CN_Honker_sig_3389_2_3389 { rule CN_Honker_PHP_php11 { meta: description = "Sample from CN Honker Pentest Toolset - file php11.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1787,6 +1899,7 @@ rule CN_Honker_PHP_php11 { rule CN_Honker_WebCruiserWVS { meta: description = "Sample from CN Honker Pentest Toolset - file WebCruiserWVS.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1802,6 +1915,7 @@ rule CN_Honker_WebCruiserWVS { rule CN_Honker_Hookmsgina { meta: description = "Sample from CN Honker Pentest Toolset - file Hookmsgina.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1819,6 +1933,7 @@ rule CN_Honker_Hookmsgina { rule CN_Honker_sig_3389_xp3389 { meta: description = "Sample from CN Honker Pentest Toolset - file xp3389.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1835,6 +1950,7 @@ rule CN_Honker_sig_3389_xp3389 { rule CN_Honker_CookiesView { meta: description = "Sample from CN Honker Pentest Toolset - file CookiesView.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1851,6 +1967,7 @@ rule CN_Honker_CookiesView { rule CN_Honker_T00ls_Lpk_Sethc_v4_LPK { meta: description = "Sample from CN Honker Pentest Toolset - file LPK.DAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1868,6 +1985,7 @@ rule CN_Honker_T00ls_Lpk_Sethc_v4_LPK { rule CN_Honker_ScanHistory { meta: description = "Sample from CN Honker Pentest Toolset - file ScanHistory.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1884,6 +2002,7 @@ rule CN_Honker_ScanHistory { rule CN_Honker_InvasionErasor { meta: description = "Sample from CN Honker Pentest Toolset - file InvasionErasor.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1902,6 +2021,7 @@ rule CN_Honker_InvasionErasor { rule CN_Honker_super_Injection1 { meta: description = "Sample from CN Honker Pentest Toolset - file super Injection1.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1918,6 +2038,7 @@ rule CN_Honker_super_Injection1 { rule CN_Honker_Pk_Pker { meta: description = "Sample from CN Honker Pentest Toolset - file Pker.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1938,6 +2059,7 @@ rule CN_Honker_Pk_Pker { rule CN_Honker_GetPass_GetPass { meta: description = "Sample from CN Honker Pentest Toolset - file GetPass.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1954,6 +2076,7 @@ rule CN_Honker_GetPass_GetPass { rule CN_Honker_F4ck_Team_f4ck_3 { meta: description = "Sample from CN Honker Pentest Toolset - file f4ck.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1974,6 +2097,7 @@ rule CN_Honker_F4ck_Team_f4ck_3 { rule CN_Honker_F4ck_Team_F4ck_3 { meta: description = "Sample from CN Honker Pentest Toolset - file F4ck_3.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1993,6 +2117,7 @@ rule CN_Honker_F4ck_Team_F4ck_3 { rule CN_Honker_ACCESS_brute { meta: description = "Sample from CN Honker Pentest Toolset - file ACCESS_brute.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -2011,6 +2136,7 @@ rule CN_Honker_ACCESS_brute { rule CN_Honker_Fpipe_FPipe { meta: description = "Sample from CN Honker Pentest Toolset - file FPipe.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -2027,6 +2153,7 @@ rule CN_Honker_Fpipe_FPipe { rule CN_Honker_Layer_Layer { meta: description = "Sample from CN Honker Pentest Toolset - file Layer.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -2043,6 +2170,7 @@ rule CN_Honker_Layer_Layer { rule CN_Honker_ms10048_x86 { meta: description = "Sample from CN Honker Pentest Toolset - file ms10048-x86.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -2057,6 +2185,7 @@ rule CN_Honker_ms10048_x86 { rule CN_Honker_HTran2_4 { meta: description = "Sample from CN Honker Pentest Toolset - file HTran2.4.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -2072,6 +2201,7 @@ rule CN_Honker_HTran2_4 { rule CN_Honker_SkinHRootkit_SkinH { meta: description = "Sample from CN Honker Pentest Toolset - file SkinH.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -2088,6 +2218,7 @@ rule CN_Honker_SkinHRootkit_SkinH { rule CN_Honker__PostgreSQL_mysql_injectV1_1_Creak_Oracle_SQLServer_inject_Creaked { meta: description = "Sample from CN Honker Pentest Toolset" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -2108,6 +2239,7 @@ rule CN_Honker__PostgreSQL_mysql_injectV1_1_Creak_Oracle_SQLServer_inject_Creake rule CN_Honker__wwwscan_wwwscan_wwwscan_gui { meta: description = "Sample from CN Honker Pentest Toolset - from files wwwscan.exe, wwwscan.exe, wwwscan_gui.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -2126,6 +2258,7 @@ rule CN_Honker__wwwscan_wwwscan_wwwscan_gui { rule CN_Honker__LPK_LPK_LPK { meta: description = "Sample from CN Honker Pentest Toolset - from files LPK.DAT, LPK.DAT, LPK.DAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -2147,6 +2280,7 @@ rule CN_Honker__LPK_LPK_LPK { rule CN_Honker__builder_shift_SkinH { meta: description = "Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -2168,6 +2302,7 @@ rule CN_Honker__builder_shift_SkinH { rule CN_Honker__lcx_HTran2_4_htran20 { meta: description = "Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -2187,6 +2322,7 @@ rule CN_Honker__lcx_HTran2_4_htran20 { rule CN_Honker__D_injection_V2_32_D_injection_V2_32_D_injection_V2_32 { meta: description = "Sample from CN Honker Pentest Toolset - from files D_injection_V2.32.exe, D_injection_V2.32.exe, D_injection_V2.32.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" diff --git a/yara/cn_pentestset_webshells.yar b/yara/cn_pentestset_webshells.yar index 2a7fa6b..428a6ae 100644 --- a/yara/cn_pentestset_webshells.yar +++ b/yara/cn_pentestset_webshells.yar @@ -8,6 +8,7 @@ rule CN_Honker_Webshell_PHP_php5 { meta: description = "Webshell from CN Honker Pentest Toolset - file php5.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -23,6 +24,7 @@ rule CN_Honker_Webshell_PHP_php5 { rule CN_Honker_Webshell_test3693 { meta: description = "Webshell from CN Honker Pentest Toolset - file test3693.war" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -38,6 +40,7 @@ rule CN_Honker_Webshell_test3693 { rule CN_Honker_Webshell_mycode12 { meta: description = "Webshell from CN Honker Pentest Toolset - file mycode12.cfm" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -53,6 +56,7 @@ rule CN_Honker_Webshell_mycode12 { rule CN_Honker_Webshell_offlibrary { meta: description = "Webshell from CN Honker Pentest Toolset - file offlibrary.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -68,6 +72,7 @@ rule CN_Honker_Webshell_offlibrary { rule CN_Honker_Webshell_cfm_xl { meta: description = "Webshell from CN Honker Pentest Toolset - file xl.cfm" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -83,6 +88,7 @@ rule CN_Honker_Webshell_cfm_xl { rule CN_Honker_Webshell_PHP_linux { meta: description = "Webshell from CN Honker Pentest Toolset - file linux.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -98,6 +104,7 @@ rule CN_Honker_Webshell_PHP_linux { rule CN_Honker_Webshell_Interception3389_get { meta: description = "Webshell from CN Honker Pentest Toolset - file get.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -114,6 +121,7 @@ rule CN_Honker_Webshell_Interception3389_get { rule CN_Honker_Webshell_nc_1 { meta: description = "Webshell from CN Honker Pentest Toolset - file 1.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -129,6 +137,7 @@ rule CN_Honker_Webshell_nc_1 { rule CN_Honker_Webshell_PHP_BlackSky { meta: description = "Webshell from CN Honker Pentest Toolset - file php6.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -144,6 +153,7 @@ rule CN_Honker_Webshell_PHP_BlackSky { rule CN_Honker_Webshell_ASP_asp3 { meta: description = "Webshell from CN Honker Pentest Toolset - file asp3.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -159,6 +169,7 @@ rule CN_Honker_Webshell_ASP_asp3 { rule CN_Honker_Webshell_ASPX_sniff { meta: description = "Webshell from CN Honker Pentest Toolset - file sniff.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -174,6 +185,7 @@ rule CN_Honker_Webshell_ASPX_sniff { rule CN_Honker_Webshell_udf_udf { meta: description = "Webshell from CN Honker Pentest Toolset - file udf.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -189,6 +201,7 @@ rule CN_Honker_Webshell_udf_udf { rule CN_Honker_Webshell_JSP_jsp { meta: description = "Webshell from CN Honker Pentest Toolset - file jsp.html" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -204,6 +217,7 @@ rule CN_Honker_Webshell_JSP_jsp { rule CN_Honker_Webshell_T00ls_Lpk_Sethc_v4_mail { meta: description = "Webshell from CN Honker Pentest Toolset - file mail.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -219,6 +233,7 @@ rule CN_Honker_Webshell_T00ls_Lpk_Sethc_v4_mail { rule CN_Honker_Webshell_phpwebbackup { meta: description = "Webshell from CN Honker Pentest Toolset - file phpwebbackup.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -234,6 +249,7 @@ rule CN_Honker_Webshell_phpwebbackup { rule CN_Honker_Webshell_dz_phpcms_phpbb { meta: description = "Webshell from CN Honker Pentest Toolset - file dz_phpcms_phpbb.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -251,6 +267,7 @@ rule CN_Honker_Webshell_dz_phpcms_phpbb { rule CN_Honker_Webshell_picloaked_1 { meta: description = "Webshell from CN Honker Pentest Toolset - file 1.gif" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -267,6 +284,7 @@ rule CN_Honker_Webshell_picloaked_1 { rule CN_Honker_Webshell_assembly { meta: description = "Webshell from CN Honker Pentest Toolset - file assembly.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -281,6 +299,7 @@ rule CN_Honker_Webshell_assembly { rule CN_Honker_Webshell_PHP_php8 { meta: description = "Webshell from CN Honker Pentest Toolset - file php8.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -298,6 +317,7 @@ rule CN_Honker_Webshell_PHP_php8 { rule CN_Honker_Webshell_Tuoku_script_xx { meta: description = "Webshell from CN Honker Pentest Toolset - file xx.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -314,6 +334,7 @@ rule CN_Honker_Webshell_Tuoku_script_xx { rule CN_Honker_Webshell_JSPMSSQL { meta: description = "Webshell from CN Honker Pentest Toolset - file JSPMSSQL.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -329,6 +350,7 @@ rule CN_Honker_Webshell_JSPMSSQL { rule CN_Honker_Webshell_Injection_Transit_jmPost { meta: description = "Webshell from CN Honker Pentest Toolset - file jmPost.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -344,6 +366,7 @@ rule CN_Honker_Webshell_Injection_Transit_jmPost { rule CN_Honker_Webshell_ASP_web_asp { meta: description = "Webshell from CN Honker Pentest Toolset - file web.asp.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -359,6 +382,7 @@ rule CN_Honker_Webshell_ASP_web_asp { rule CN_Honker_Webshell_wshell_asp { meta: description = "Webshell from CN Honker Pentest Toolset - file wshell-asp.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -375,6 +399,7 @@ rule CN_Honker_Webshell_wshell_asp { rule CN_Honker_Webshell_ASP_asp404 { meta: description = "Webshell from CN Honker Pentest Toolset - file asp404.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -391,6 +416,7 @@ rule CN_Honker_Webshell_ASP_asp404 { rule CN_Honker_Webshell_Serv_U_asp { meta: description = "Webshell from CN Honker Pentest Toolset - file Serv-U asp.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -407,6 +433,7 @@ rule CN_Honker_Webshell_Serv_U_asp { rule CN_Honker_Webshell_cfm_list { meta: description = "Webshell from CN Honker Pentest Toolset - file list.cfm" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -422,6 +449,7 @@ rule CN_Honker_Webshell_cfm_list { rule CN_Honker_Webshell_PHP_php2 { meta: description = "Webshell from CN Honker Pentest Toolset - file php2.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -437,6 +465,7 @@ rule CN_Honker_Webshell_PHP_php2 { rule CN_Honker_Webshell_Tuoku_script_oracle { meta: description = "Webshell from CN Honker Pentest Toolset - file oracle.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -453,6 +482,7 @@ rule CN_Honker_Webshell_Tuoku_script_oracle { rule CN_Honker_Webshell_ASPX_aspx4 { meta: description = "Webshell from CN Honker Pentest Toolset - file aspx4.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -469,6 +499,7 @@ rule CN_Honker_Webshell_ASPX_aspx4 { rule CN_Honker_Webshell_ASPX_aspx { meta: description = "Webshell from CN Honker Pentest Toolset - file aspx.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -486,6 +517,7 @@ rule CN_Honker_Webshell_ASPX_aspx { rule CN_Honker_Webshell_su7_x_9_x { meta: description = "Webshell from CN Honker Pentest Toolset - file su7.x-9.x.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -501,6 +533,7 @@ rule CN_Honker_Webshell_su7_x_9_x { rule CN_Honker_Webshell_cfmShell { meta: description = "Webshell from CN Honker Pentest Toolset - file cfmShell.cfm" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -516,6 +549,7 @@ rule CN_Honker_Webshell_cfmShell { rule CN_Honker_Webshell_ASP_asp4 { meta: description = "Webshell from CN Honker Pentest Toolset - file asp4.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -532,6 +566,7 @@ rule CN_Honker_Webshell_ASP_asp4 { rule CN_Honker_Webshell_Serv_U_2_admin_by_lake2 { meta: description = "Webshell from CN Honker Pentest Toolset - file Serv-U 2 admin by lake2.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -549,6 +584,7 @@ rule CN_Honker_Webshell_Serv_U_2_admin_by_lake2 { rule CN_Honker_Webshell_PHP_php3 { meta: description = "Webshell from CN Honker Pentest Toolset - file php3.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -564,6 +600,7 @@ rule CN_Honker_Webshell_PHP_php3 { rule CN_Honker_Webshell_Serv_U_by_Goldsun { meta: description = "Webshell from CN Honker Pentest Toolset - file Serv-U_by_Goldsun.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -581,6 +618,7 @@ rule CN_Honker_Webshell_Serv_U_by_Goldsun { rule CN_Honker_Webshell_PHP_php10 { meta: description = "Webshell from CN Honker Pentest Toolset - file php10.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -595,6 +633,7 @@ rule CN_Honker_Webshell_PHP_php10 { rule CN_Honker_Webshell_Serv_U_servu { meta: description = "Webshell from CN Honker Pentest Toolset - file servu.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -610,6 +649,7 @@ rule CN_Honker_Webshell_Serv_U_servu { rule CN_Honker_Webshell_portRecall_jsp2 { meta: description = "Webshell from CN Honker Pentest Toolset - file jsp2.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -626,6 +666,7 @@ rule CN_Honker_Webshell_portRecall_jsp2 { rule CN_Honker_Webshell_ASPX_aspx2 { meta: description = "Webshell from CN Honker Pentest Toolset - file aspx2.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -643,6 +684,7 @@ rule CN_Honker_Webshell_ASPX_aspx2 { rule CN_Honker_Webshell_ASP_hy2006a { meta: description = "Webshell from CN Honker Pentest Toolset - file hy2006a.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -658,6 +700,7 @@ rule CN_Honker_Webshell_ASP_hy2006a { rule CN_Honker_Webshell_PHP_php1 { meta: description = "Webshell from CN Honker Pentest Toolset - file php1.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -674,6 +717,7 @@ rule CN_Honker_Webshell_PHP_php1 { rule CN_Honker_Webshell_jspshell2 { meta: description = "Webshell from CN Honker Pentest Toolset - file jspshell2.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -689,6 +733,7 @@ rule CN_Honker_Webshell_jspshell2 { rule CN_Honker_Webshell_Tuoku_script_mysql { meta: description = "Webshell from CN Honker Pentest Toolset - file mysql.aspx" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -703,6 +748,7 @@ rule CN_Honker_Webshell_Tuoku_script_mysql { rule CN_Honker_Webshell_PHP_php9 { meta: description = "Webshell from CN Honker Pentest Toolset - file php9.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -717,6 +763,7 @@ rule CN_Honker_Webshell_PHP_php9 { rule CN_Honker_Webshell_portRecall_jsp { meta: description = "Webshell from CN Honker Pentest Toolset - file jsp.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -731,6 +778,7 @@ rule CN_Honker_Webshell_portRecall_jsp { rule CN_Honker_Webshell_ASPX_aspx3 { meta: description = "Webshell from CN Honker Pentest Toolset - file aspx3.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -746,6 +794,7 @@ rule CN_Honker_Webshell_ASPX_aspx3 { rule CN_Honker_Webshell_ASPX_shell_shell { meta: description = "Webshell from CN Honker Pentest Toolset - file shell.aspx" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -761,6 +810,7 @@ rule CN_Honker_Webshell_ASPX_shell_shell { rule CN_Honker_Webshell__php1_php7_php9 { meta: description = "Webshell from CN Honker Pentest Toolset - from files php1.txt, php7.txt, php9.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -780,6 +830,7 @@ rule CN_Honker_Webshell__php1_php7_php9 { rule CN_Honker_Webshell__Serv_U_by_Goldsun_asp3_Serv_U_asp { meta: description = "Webshell from CN Honker Pentest Toolset - from files Serv-U_by_Goldsun.asp, asp3.txt, Serv-U asp.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -799,6 +850,7 @@ rule CN_Honker_Webshell__Serv_U_by_Goldsun_asp3_Serv_U_asp { rule CN_Honker_Webshell__asp4_asp4_MSSQL__MSSQL_ { meta: description = "Webshell from CN Honker Pentest Toolset - from files asp4.txt, asp4.txt, MSSQL_.asp, MSSQL_.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -819,6 +871,7 @@ rule CN_Honker_Webshell__asp4_asp4_MSSQL__MSSQL_ { rule CN_Honker_Webshell__Injection_jmCook_jmPost_ManualInjection { meta: description = "Webshell from CN Honker Pentest Toolset - from files Injection.exe, jmCook.asp, jmPost.asp, ManualInjection.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -838,6 +891,7 @@ rule CN_Honker_Webshell__Injection_jmCook_jmPost_ManualInjection { rule CN_Honker_Webshell_cmfshell { meta: description = "Webshell from CN Honker Pentest Toolset - file cmfshell.cmf" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -853,6 +907,7 @@ rule CN_Honker_Webshell_cmfshell { rule CN_Honker_Webshell_PHP_php4 { meta: description = "Webshell from CN Honker Pentest Toolset - file php4.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -867,6 +922,7 @@ rule CN_Honker_Webshell_PHP_php4 { rule CN_Honker_Webshell_Linux_2_6_Exploit { meta: description = "Webshell from CN Honker Pentest Toolset - file 2.6.9" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -881,6 +937,7 @@ rule CN_Honker_Webshell_Linux_2_6_Exploit { rule CN_Honker_Webshell_ASP_asp2 { meta: description = "Webshell from CN Honker Pentest Toolset - file asp2.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -897,6 +954,7 @@ rule CN_Honker_Webshell_ASP_asp2 { rule CN_Honker_Webshell_FTP_MYSQL_MSSQL_SSH { meta: description = "Webshell from CN Honker Pentest Toolset - file FTP MYSQL MSSQL SSH.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -915,6 +973,7 @@ rule CN_Honker_Webshell_FTP_MYSQL_MSSQL_SSH { rule CN_Honker_Webshell_ASP_shell { meta: description = "Webshell from CN Honker Pentest Toolset - file shell.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -931,6 +990,7 @@ rule CN_Honker_Webshell_ASP_shell { rule CN_Honker_Webshell_PHP_php7 { meta: description = "Webshell from CN Honker Pentest Toolset - file php7.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -946,6 +1006,7 @@ rule CN_Honker_Webshell_PHP_php7 { rule CN_Honker_Webshell_ASP_rootkit { meta: description = "Webshell from CN Honker Pentest Toolset - file rootkit.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -961,6 +1022,7 @@ rule CN_Honker_Webshell_ASP_rootkit { rule CN_Honker_Webshell_jspshell { meta: description = "Webshell from CN Honker Pentest Toolset - file jspshell.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -976,6 +1038,7 @@ rule CN_Honker_Webshell_jspshell { rule CN_Honker_Webshell_Serv_U_serv_u { meta: description = "Webshell from CN Honker Pentest Toolset - file serv-u.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -992,6 +1055,7 @@ rule CN_Honker_Webshell_Serv_U_serv_u { rule CN_Honker_Webshell_WebShell { meta: description = "Webshell from CN Honker Pentest Toolset - file WebShell.cgi" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1008,6 +1072,7 @@ rule CN_Honker_Webshell_WebShell { rule CN_Honker_Webshell_Tuoku_script_mssql_2 { meta: description = "Webshell from CN Honker Pentest Toolset - file mssql.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" @@ -1024,6 +1089,7 @@ rule CN_Honker_Webshell_Tuoku_script_mssql_2 { rule CN_Honker_Webshell_ASP_asp1 { meta: description = "Webshell from CN Honker Pentest Toolset - file asp1.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" diff --git a/yara/crime_andromeda_jun17.yar b/yara/crime_andromeda_jun17.yar index c2e0b87..6513ee8 100644 --- a/yara/crime_andromeda_jun17.yar +++ b/yara/crime_andromeda_jun17.yar @@ -12,6 +12,7 @@ rule Andromeda_MalBot_Jun_1A { meta: description = "Detects a malicious Worm Andromeda / RETADUP" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/" date = "2017-06-30" diff --git a/yara/crime_antifw_installrex.yar b/yara/crime_antifw_installrex.yar index 18258c0..f157e94 100644 --- a/yara/crime_antifw_installrex.yar +++ b/yara/crime_antifw_installrex.yar @@ -2,6 +2,7 @@ rule PUP_InstallRex_AntiFWb { meta: description = "Malware InstallRex / AntiFW" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-05-13" hash = "bb5607cd2ee51f039f60e32cf7edc4e21a2d95cd" diff --git a/yara/crime_bad_patch.yar b/yara/crime_bad_patch.yar index fcd58a2..3175ed5 100644 --- a/yara/crime_bad_patch.yar +++ b/yara/crime_bad_patch.yar @@ -11,6 +11,7 @@ rule WinAgent_BadPatch_1 { meta: description = "Detects samples mentioned in BadPatch report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/RvDwwA" date = "2017-10-20" @@ -39,6 +40,7 @@ rule WinAgent_BadPatch_1 { rule WinAgent_BadPatch_2 { meta: description = "Detects samples mentioned in BadPatch report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/RvDwwA" date = "2017-10-20" diff --git a/yara/crime_badrabbit.yar b/yara/crime_badrabbit.yar index a6cff11..173fb5d 100644 --- a/yara/crime_badrabbit.yar +++ b/yara/crime_badrabbit.yar @@ -11,6 +11,7 @@ rule BadRabbit_Gen { meta: description = "Detects BadRabbit Ransomware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://pastebin.com/Y7pJv3tK" date = "2017-10-25" @@ -40,6 +41,7 @@ rule BadRabbit_Gen { rule BadRabbit_Mimikatz_Comp { meta: description = "Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://pastebin.com/Y7pJv3tK" date = "2017-10-25" diff --git a/yara/crime_buzus_softpulse.yar b/yara/crime_buzus_softpulse.yar index c0e7520..3a2ae1f 100644 --- a/yara/crime_buzus_softpulse.yar +++ b/yara/crime_buzus_softpulse.yar @@ -2,6 +2,7 @@ rule Win32_Buzus_Softpulse { meta: description = "Trojan Buzus / Softpulse" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-05-13" hash = "2f6df200e63a86768471399a74180466d2e99ea9" diff --git a/yara/crime_cn_campaign_njrat.yar b/yara/crime_cn_campaign_njrat.yar index 9342a13..512ee7b 100644 --- a/yara/crime_cn_campaign_njrat.yar +++ b/yara/crime_cn_campaign_njrat.yar @@ -13,6 +13,7 @@ import "pe" rule CN_disclosed_20180208_lsls { meta: description = "Detects malware from disclosed CN malware set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/cyberintproject/status/961714165550342146" date = "2018-02-08" @@ -26,6 +27,7 @@ rule CN_disclosed_20180208_lsls { rule CN_disclosed_20180208_c { meta: description = "Detects malware from disclosed CN malware set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/cyberintproject/status/961714165550342146" date = "2018-02-08" @@ -53,6 +55,7 @@ rule CN_disclosed_20180208_c { rule CN_disclosed_20180208_System3 { meta: description = "Detects malware from disclosed CN malware set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/cyberintproject/status/961714165550342146" date = "2018-02-08" @@ -71,6 +74,7 @@ rule CN_disclosed_20180208_System3 { rule CN_disclosed_20180208_Mal1 { meta: description = "Detects malware from disclosed CN malware set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details" date = "2018-02-08" @@ -97,6 +101,7 @@ rule CN_disclosed_20180208_Mal1 { rule CN_disclosed_20180208_KeyLogger_1 { meta: description = "Detects malware from disclosed CN malware set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details" date = "2018-02-08" @@ -114,6 +119,7 @@ rule CN_disclosed_20180208_KeyLogger_1 { rule CN_disclosed_20180208_Mal4 { meta: description = "Detects malware from disclosed CN malware set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details" date = "2018-02-08" @@ -128,6 +134,7 @@ rule CN_disclosed_20180208_Mal4 { rule CN_disclosed_20180208_Mal5 { meta: description = "Detects malware from disclosed CN malware set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details" date = "2018-02-08" diff --git a/yara/crime_cn_group_btc.yar b/yara/crime_cn_group_btc.yar index 9484eed..a143631 100644 --- a/yara/crime_cn_group_btc.yar +++ b/yara/crime_cn_group_btc.yar @@ -10,6 +10,7 @@ rule BTC_Miner_lsass1_chrome_2 { meta: description = "Detects a Bitcoin Miner" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - CN Actor" date = "2017-06-22" @@ -27,6 +28,7 @@ rule BTC_Miner_lsass1_chrome_2 { rule CN_Actor_RA_Tool_Ammyy_mscorsvw { meta: description = "Detects Ammyy remote access tool" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - CN Actor" date = "2017-06-22" @@ -43,6 +45,7 @@ rule CN_Actor_RA_Tool_Ammyy_mscorsvw { rule CN_Actor_AmmyyAdmin { meta: description = "Detects Ammyy Admin Downloader" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - CN Actor" date = "2017-06-22" diff --git a/yara/crime_cobaltgang.yar b/yara/crime_cobaltgang.yar index 3954901..f4f1dfa 100644 --- a/yara/crime_cobaltgang.yar +++ b/yara/crime_cobaltgang.yar @@ -13,6 +13,7 @@ rule CobaltStrike_CN_Group_BeaconDropper_Aug17 { meta: description = "Detects Script Dropper of Cobalt Gang used in August 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-08-09" @@ -37,6 +38,7 @@ rule CobaltStrike_CN_Group_BeaconDropper_Aug17 { rule CobaltGang_Malware_Aug17_1 { meta: description = "Detects a Cobalt Gang malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c" date = "2017-08-09" @@ -53,6 +55,7 @@ rule CobaltGang_Malware_Aug17_1 { rule CobaltGang_Malware_Aug17_2 { meta: description = "Detects a Cobalt Gang malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c" date = "2017-08-09" diff --git a/yara/crime_credstealer_generic.yar b/yara/crime_credstealer_generic.yar index 3764344..f82ed5c 100644 --- a/yara/crime_credstealer_generic.yar +++ b/yara/crime_credstealer_generic.yar @@ -2,6 +2,7 @@ rule CredentialStealer_Generic_Backdoor { meta: description = "Detects credential stealer byed on many strings that indicate password store access" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-06-07" diff --git a/yara/crime_cryptowall_svg.yar b/yara/crime_cryptowall_svg.yar index 400894d..8b8ac26 100644 --- a/yara/crime_cryptowall_svg.yar +++ b/yara/crime_cryptowall_svg.yar @@ -2,6 +2,7 @@ rule SVG_LoadURL { meta: description = "Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/psjCCc" date = "2015-05-24" diff --git a/yara/crime_dexter_trojan.yar b/yara/crime_dexter_trojan.yar index 4975bde..bf15588 100644 --- a/yara/crime_dexter_trojan.yar +++ b/yara/crime_dexter_trojan.yar @@ -1,6 +1,7 @@ rule Dexter_Malware { meta: description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/oBvy8b" date = "2015/02/10" diff --git a/yara/crime_enfal.yar b/yara/crime_enfal.yar index 4dd7177..7fa1f37 100644 --- a/yara/crime_enfal.yar +++ b/yara/crime_enfal.yar @@ -1,6 +1,7 @@ rule Enfal_Malware { meta: description = "Detects a certain type of Enfal Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/02/10" @@ -23,6 +24,7 @@ rule Enfal_Malware { rule Enfal_Malware_Backdoor { meta: description = "Generic Rule to detect the Enfal Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015/02/10" super_rule = 1 diff --git a/yara/crime_envrial.yar b/yara/crime_envrial.yar index 58b41c5..391591c 100644 --- a/yara/crime_envrial.yar +++ b/yara/crime_envrial.yar @@ -11,6 +11,7 @@ rule MAL_Envrial_Jan18_1 { meta: description = "Detects Encrial credential stealer malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/malwrhunterteam/status/953313514629853184" date = "2018-01-21" diff --git a/yara/crime_eternalrocks.yar b/yara/crime_eternalrocks.yar index 7484985..f473696 100644 --- a/yara/crime_eternalrocks.yar +++ b/yara/crime_eternalrocks.yar @@ -12,6 +12,7 @@ rule EternalRocks_taskhost { meta: description = "Detects EternalRocks Malware - file taskhost.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/stamparm/status/864865144748298242" date = "2017-05-18" @@ -30,6 +31,7 @@ rule EternalRocks_taskhost { rule EternalRocks_svchost { meta: description = "Detects EternalRocks Malware - file taskhost.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/stamparm/status/864865144748298242" date = "2017-05-18" diff --git a/yara/crime_fareit.yar b/yara/crime_fareit.yar index b36340b..fefbcf3 100644 --- a/yara/crime_fareit.yar +++ b/yara/crime_fareit.yar @@ -8,6 +8,7 @@ rule Fareit_Trojan_Oct15 { meta: description = "Detects Fareit Trojan from Sep/Oct 2015 Wave" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/5VYtlU" date = "2015-10-18" diff --git a/yara/crime_fireball.yar b/yara/crime_fireball.yar index 77461bc..964b6e9 100644 --- a/yara/crime_fireball.yar +++ b/yara/crime_fireball.yar @@ -12,6 +12,7 @@ rule Fireball_de_svr { meta: description = "Detects Fireball malware - file de_svr.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4pTkGQ" date = "2017-06-02" @@ -29,6 +30,7 @@ rule Fireball_de_svr { rule Fireball_lancer { meta: description = "Detects Fireball malware - file lancer.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4pTkGQ" date = "2017-06-02" @@ -49,6 +51,7 @@ rule Fireball_lancer { rule QQBrowser { meta: description = "Not malware but suspicious browser - file QQBrowser.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4pTkGQ" date = "2017-06-02" @@ -66,6 +69,7 @@ rule QQBrowser { rule chrome_elf { meta: description = "Detects Fireball malware - file chrome_elf.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4pTkGQ" date = "2017-06-02" @@ -84,6 +88,7 @@ rule chrome_elf { rule Fireball_regkey { meta: description = "Detects Fireball malware - file regkey.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4pTkGQ" date = "2017-06-02" @@ -99,6 +104,7 @@ rule Fireball_regkey { rule Fireball_winsap { meta: description = "Detects Fireball malware - file winsap.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4pTkGQ" date = "2017-06-02" @@ -117,6 +123,7 @@ rule Fireball_winsap { rule Fireball_archer { meta: description = "Detects Fireball malware - file archer.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4pTkGQ" date = "2017-06-02" @@ -135,6 +142,7 @@ rule Fireball_archer { rule clearlog { meta: description = "Detects Fireball malware - file clearlog.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4pTkGQ" date = "2017-06-02" @@ -155,6 +163,7 @@ rule clearlog { rule Fireball_gubed { meta: description = "Detects Fireball malware - file gubed.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/4pTkGQ" date = "2017-06-02" diff --git a/yara/crime_floxif_flystudio.yar b/yara/crime_floxif_flystudio.yar index 7432813..713cafb 100644 --- a/yara/crime_floxif_flystudio.yar +++ b/yara/crime_floxif_flystudio.yar @@ -3,6 +3,7 @@ import "pe" rule MAL_Floxif_Generic { meta: description = "Detects Floxif Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-05-11" @@ -19,6 +20,7 @@ rule MAL_Floxif_Generic { rule MAL_CN_FlyStudio_May18_1 { meta: description = "Detects malware / hacktool detected in May 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-05-11" diff --git a/yara/crime_goldeneye.yar b/yara/crime_goldeneye.yar index c7e2b60..7c20ae2 100644 --- a/yara/crime_goldeneye.yar +++ b/yara/crime_goldeneye.yar @@ -10,6 +10,7 @@ rule GoldenEye_Ransomware_XLS { meta: description = "GoldenEye XLS with Macro - file Schneider-Bewerbung.xls" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/jp2SkT" date = "2016-12-06" @@ -24,6 +25,7 @@ rule GoldenEye_Ransomware_XLS { rule GoldenEyeRansomware_Dropper_MalformedZoomit { meta: description = "Auto-generated rule - file b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/jp2SkT" date = "2016-12-06" diff --git a/yara/crime_kasper_oct17.yar b/yara/crime_kasper_oct17.yar index caf9124..608d45e 100644 --- a/yara/crime_kasper_oct17.yar +++ b/yara/crime_kasper_oct17.yar @@ -13,6 +13,7 @@ import "pe" rule KasperMalware_Oct17_1 { meta: description = "Detects Kasper Backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-10-24" diff --git a/yara/crime_kr_malware.yar b/yara/crime_kr_malware.yar index 6726746..a96b469 100644 --- a/yara/crime_kr_malware.yar +++ b/yara/crime_kr_malware.yar @@ -11,6 +11,7 @@ rule KR_Target_Malware_Aug17 { meta: description = "Detects malware that targeted South Korea in Aug 2017 - file MRDqsbuEqGxrgqtbXU.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/eyalsela/status/900250203097354240" date = "2017-08-23" diff --git a/yara/crime_kraken_bot1.yar b/yara/crime_kraken_bot1.yar index b2c058b..0cbf173 100644 --- a/yara/crime_kraken_bot1.yar +++ b/yara/crime_kraken_bot1.yar @@ -8,6 +8,7 @@ rule Kraken_Bot_Sample { meta: description = "Kraken Bot Sample - file inf.bin" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html" date = "2015-05-07" diff --git a/yara/crime_kriskynote.yar b/yara/crime_kriskynote.yar index 6728685..f956b4f 100644 --- a/yara/crime_kriskynote.yar +++ b/yara/crime_kriskynote.yar @@ -11,6 +11,7 @@ rule Kriskynote_Mar17_1 { meta: description = "Detects Kriskynote Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-03" @@ -30,6 +31,7 @@ rule Kriskynote_Mar17_1 { rule Kriskynote_Mar17_2 { meta: description = "Detects Kriskynote Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-03" @@ -44,6 +46,7 @@ rule Kriskynote_Mar17_2 { rule Kriskynote_Mar17_3 { meta: description = "Detects Kriskynote Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-03" diff --git a/yara/crime_loki_bot.yar b/yara/crime_loki_bot.yar index af8e8f0..31cc986 100644 --- a/yara/crime_loki_bot.yar +++ b/yara/crime_loki_bot.yar @@ -11,6 +11,7 @@ rule LokiBot_Dropper_ScanCopyPDF_Feb18 { meta: description = "Auto-generated rule - file Scan Copy.pdf.com" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5" date = "2018-02-14" @@ -31,6 +32,7 @@ rule LokiBot_Dropper_ScanCopyPDF_Feb18 { rule LokiBot_Dropper_Packed_R11_Feb18 { meta: description = "Auto-generated rule - file scan copy.pdf.r11" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5" date = "2018-02-14" diff --git a/yara/crime_mal_grandcrab.yar b/yara/crime_mal_grandcrab.yar index 2014fdd..1bdf729 100644 --- a/yara/crime_mal_grandcrab.yar +++ b/yara/crime_mal_grandcrab.yar @@ -3,6 +3,7 @@ import "pe" rule MAL_GandCrab_Apr18_1 { meta: description = "Detects GandCrab malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/MarceloRivero/status/988455516094550017" date = "2018-04-23" diff --git a/yara/crime_malware_generic.yar b/yara/crime_malware_generic.yar index ebcc321..1f1039e 100644 --- a/yara/crime_malware_generic.yar +++ b/yara/crime_malware_generic.yar @@ -4,6 +4,7 @@ rule TrojanDownloader { meta: description = "Trojan Downloader - Flash Exploit Feb15" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/wJ8V1I" date = "2015/02/11" @@ -52,6 +53,7 @@ rule TrojanDownloader { rule IsmDoor_Jul17_A2 { meta: description = "Detects IsmDoor Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/Voulnet/status/892104753295110145" date = "2017-08-01" @@ -69,6 +71,7 @@ rule IsmDoor_Jul17_A2 { rule Unknown_Malware_Sample_Jul17_2 { meta: description = "Detects unknown malware sample with pastebin RAW URL" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/iqH8CK" date = "2017-08-01" @@ -85,6 +88,7 @@ rule Unknown_Malware_Sample_Jul17_2 { rule MAL_unspecified_Jan18_1 { meta: description = "Detects unspecified malware sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-01-19" diff --git a/yara/crime_malware_set_oct16.yar b/yara/crime_malware_set_oct16.yar index e333a37..5ae2718 100644 --- a/yara/crime_malware_set_oct16.yar +++ b/yara/crime_malware_set_oct16.yar @@ -10,6 +10,7 @@ rule Unspecified_Malware_Oct16_A { meta: description = "Detects an unspecififed malware - October 2016" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-10-08" @@ -46,6 +47,7 @@ rule Unspecified_Malware_Oct16_A { rule Sality_Malware_Oct16 { meta: description = "Detects an unspecififed malware - October 2016" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-10-08" @@ -61,6 +63,7 @@ rule Sality_Malware_Oct16 { rule Unspecified_Malware_Oct16_C { meta: description = "Detects an unspecififed malware - October 2016" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-10-08" @@ -85,6 +88,7 @@ rule Unspecified_Malware_Oct16_C { rule Bladabindi_Malware_B64 { meta: description = "Detects Bladabindi Malware using Base64 encoded strings" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-10-08" @@ -102,6 +106,7 @@ rule Bladabindi_Malware_B64 { rule Dorkbot_Injector_Malware { meta: description = "Detects Darkbot Injector" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-10-08" @@ -121,6 +126,7 @@ rule Dorkbot_Injector_Malware { rule Unspecified_Malware_Oct16_D { meta: description = "Detects unspecified malware - October 2016" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-10-08" @@ -140,6 +146,7 @@ rule Unspecified_Malware_Oct16_D { rule Unspecified_Malware_Oct16_E { meta: description = "Detects unspecified Malware - October 2016" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-10-08" diff --git a/yara/crime_mikey_trojan.yar b/yara/crime_mikey_trojan.yar index 7579d05..458d8f0 100644 --- a/yara/crime_mikey_trojan.yar +++ b/yara/crime_mikey_trojan.yar @@ -2,6 +2,7 @@ rule Gen_Trojan_Mikey { meta: description = "Trojan Mikey - file sample_mikey.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-05-07" hash = "a8e6c3ca056b3ff2495d7728654b780735b3a4cb" diff --git a/yara/crime_mirai.yar b/yara/crime_mirai.yar index 6ab113d..ddf6fc4 100644 --- a/yara/crime_mirai.yar +++ b/yara/crime_mirai.yar @@ -10,6 +10,7 @@ rule Mirai_Botnet_Malware { meta: description = "Detects Mirai Botnet Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-10-04" @@ -60,6 +61,7 @@ rule Mirai_Botnet_Malware { rule Mirai_1_May17 { meta: description = "Detects Mirai Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-05-12" @@ -76,6 +78,7 @@ rule Mirai_1_May17 { rule Miari_2_May17 { meta: description = "Detects Mirai Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-05-12" diff --git a/yara/crime_mywscript_dropper.yar b/yara/crime_mywscript_dropper.yar index ed23152..63c8dea 100644 --- a/yara/crime_mywscript_dropper.yar +++ b/yara/crime_mywscript_dropper.yar @@ -10,6 +10,7 @@ rule MyWScript_CompiledScript { meta: description = "Detects a scripte with default name Mywscript compiled with Script2Exe (can also be a McAfee tool https://community.mcafee.com/docs/DOC-4124)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-07-27" diff --git a/yara/crime_nopetya_jun17.yar b/yara/crime_nopetya_jun17.yar index 33efea7..5cf911a 100644 --- a/yara/crime_nopetya_jun17.yar +++ b/yara/crime_nopetya_jun17.yar @@ -12,6 +12,7 @@ rule NotPetya_Ransomware_Jun17 { meta: description = "Detects new NotPetya Ransomware variant from June 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/h6iaGj" date = "2017-06-27" diff --git a/yara/crime_phish_gina_dec15.yar b/yara/crime_phish_gina_dec15.yar index a44193b..44ce356 100644 --- a/yara/crime_phish_gina_dec15.yar +++ b/yara/crime_phish_gina_dec15.yar @@ -8,6 +8,7 @@ rule PHISH_02Dez2015_dropped_p0o6543f_1 { meta: description = "Phishing Wave - file p0o6543f.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/" date = "2015-12-02" @@ -29,6 +30,7 @@ rule PHISH_02Dez2015_dropped_p0o6543f_1 { rule PHISH_02Dez2015_dropped_p0o6543f_2 { meta: description = "Phishing Wave used MineExplorer Game by WangLei - file p0o6543f.exe.4" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/" date = "2015-12-03" @@ -45,6 +47,7 @@ rule PHISH_02Dez2015_dropped_p0o6543f_2 { rule PHISH_02Dez2015_attach_P_ORD_C_10156_124658 { meta: description = "Phishing Wave - file P-ORD-C-10156-124658.xls" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/" date = "2015-12-02" diff --git a/yara/crime_rombertik_carbongrabber.yar b/yara/crime_rombertik_carbongrabber.yar index 40e6946..c137c2c 100644 --- a/yara/crime_rombertik_carbongrabber.yar +++ b/yara/crime_rombertik_carbongrabber.yar @@ -10,6 +10,7 @@ rule Rombertik_CarbonGrabber { meta: description = "Detects CarbonGrabber alias Rombertik - file Copy#064046.scr" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blogs.cisco.com/security/talos/rombertik" date = "2015-05-05" @@ -31,6 +32,7 @@ rule Rombertik_CarbonGrabber { rule Rombertik_CarbonGrabber_Panel_InstallScript { meta: description = "Detects CarbonGrabber alias Rombertik panel install script - file install.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blogs.cisco.com/security/talos/rombertik" date = "2015-05-05" @@ -51,6 +53,7 @@ rule Rombertik_CarbonGrabber_Panel_InstallScript { rule Rombertik_CarbonGrabber_Panel { meta: description = "Detects CarbonGrabber alias Rombertik Panel - file index.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blogs.cisco.com/security/talos/rombertik" date = "2015-05-05" @@ -69,6 +72,7 @@ rule Rombertik_CarbonGrabber_Panel { rule Rombertik_CarbonGrabber_Builder { meta: description = "Detects CarbonGrabber alias Rombertik Builder - file Builder.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blogs.cisco.com/security/talos/rombertik" date = "2015-05-05" @@ -86,6 +90,7 @@ rule Rombertik_CarbonGrabber_Builder { rule Rombertik_CarbonGrabber_Builder_Server { meta: description = "Detects CarbonGrabber alias Rombertik Builder Server - file Server.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blogs.cisco.com/security/talos/rombertik" date = "2015-05-05" diff --git a/yara/crime_shifu_trojan.yar b/yara/crime_shifu_trojan.yar index cb36022..11ea685 100644 --- a/yara/crime_shifu_trojan.yar +++ b/yara/crime_shifu_trojan.yar @@ -8,6 +8,7 @@ rule Shifu_Banking_Trojan { meta: description = "Detects Shifu Banking Trojan" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/" date = "2015-09-01" @@ -27,6 +28,7 @@ rule Shifu_Banking_Trojan { rule SHIFU_Banking_Trojan { meta: description = "Detects SHIFU Banking Trojan" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/52n8WE" date = "2015-10-31" diff --git a/yara/crime_snarasite.yar b/yara/crime_snarasite.yar index 0f24b4e..bf8b869 100644 --- a/yara/crime_snarasite.yar +++ b/yara/crime_snarasite.yar @@ -3,6 +3,7 @@ import "pe" rule BKDR_Snarasite_Oct17 { meta: description = "Auto-generated rule - file 36ba92cba23971ca9d16a0b4f45c853fd5b3108076464d5f2027b0f56054fd62" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-10-07" diff --git a/yara/crime_teledoor.yar b/yara/crime_teledoor.yar index e0b8180..6dc4d27 100644 --- a/yara/crime_teledoor.yar +++ b/yara/crime_teledoor.yar @@ -11,6 +11,7 @@ rule TeleDoor_Backdoor { meta: description = "Detects the TeleDoor Backdoor as used in Petya Attack in June 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/CpfJQQ" date = "2017-07-05" diff --git a/yara/crime_upatre_oct15.yar b/yara/crime_upatre_oct15.yar index d6a7e78..185bb02 100644 --- a/yara/crime_upatre_oct15.yar +++ b/yara/crime_upatre_oct15.yar @@ -8,6 +8,7 @@ rule Upatre_Hazgurut { meta: description = "Detects Upatre malware - file hazgurut.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3?environmentId=7" date = "2015-10-13" diff --git a/yara/crime_wannacry.yar b/yara/crime_wannacry.yar index 92f186c..005a675 100644 --- a/yara/crime_wannacry.yar +++ b/yara/crime_wannacry.yar @@ -66,6 +66,7 @@ rule WannaCry_Ransomware_Gen { rule WannCry_m_vbs { meta: description = "Detects WannaCry Ransomware VBS" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/HG2j5T" date = "2017-05-12" @@ -81,6 +82,7 @@ rule WannCry_m_vbs { rule WannCry_BAT { meta: description = "Detects WannaCry Ransomware BATCH File" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/HG2j5T" date = "2017-05-12" @@ -97,6 +99,7 @@ rule WannCry_BAT { rule WannaCry_RansomNote { meta: description = "Detects WannaCry Ransomware Note" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/HG2j5T" date = "2017-05-12" diff --git a/yara/crime_zeus_panda.yar b/yara/crime_zeus_panda.yar index a1c5fc3..2da72e1 100644 --- a/yara/crime_zeus_panda.yar +++ b/yara/crime_zeus_panda.yar @@ -11,6 +11,7 @@ rule Zeus_Panda { meta: description = "Detects ZEUS Panda Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" date = "2017-08-04" diff --git a/yara/exp_drivecrypt.yar b/yara/exp_drivecrypt.yar index 3d8facb..c459ba3 100644 --- a/yara/exp_drivecrypt.yar +++ b/yara/exp_drivecrypt.yar @@ -2,6 +2,7 @@ rule EXP_DriveCrypt_1 { meta: description = "Detects DriveCrypt exploit" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-08-21" @@ -17,6 +18,7 @@ rule EXP_DriveCrypt_1 { rule EXP_DriveCrypt_x64passldr { meta: description = "Detects DriveCrypt exploit" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-08-21" diff --git a/yara/exploit_cve_2014_4076.yar b/yara/exploit_cve_2014_4076.yar index 7d37195..7501f52 100644 --- a/yara/exploit_cve_2014_4076.yar +++ b/yara/exploit_cve_2014_4076.yar @@ -2,6 +2,7 @@ rule CVE_2014_4076_Exploitcode { meta: description = "Detects an exploit code for CVE-2014-4076" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Neo23x0/yarGen" date = "2018-04-04" diff --git a/yara/exploit_cve_2015_1674.yar b/yara/exploit_cve_2015_1674.yar index ea6ac62..b25fc40 100644 --- a/yara/exploit_cve_2015_1674.yar +++ b/yara/exploit_cve_2015_1674.yar @@ -10,6 +10,7 @@ rule CVE_2015_1674_CNGSYS { meta: description = "Detects exploits for CVE-2015-1674" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.binvul.com/viewthread.php?tid=508" date = "2015-05-14" diff --git a/yara/exploit_cve_2015_1701.yar b/yara/exploit_cve_2015_1701.yar index 6855721..1314d06 100644 --- a/yara/exploit_cve_2015_1701.yar +++ b/yara/exploit_cve_2015_1701.yar @@ -2,6 +2,7 @@ rule CVE_2015_1701_Taihou { meta: description = "CVE-2015-1701 compiled exploit code" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/W4nU0q" date = "2015-05-13" diff --git a/yara/exploit_cve_2015_2426.yar b/yara/exploit_cve_2015_2426.yar index e7070d9..77c763b 100644 --- a/yara/exploit_cve_2015_2426.yar +++ b/yara/exploit_cve_2015_2426.yar @@ -10,6 +10,7 @@ rule Exploit_MS15_077_078 { meta: description = "MS15-078 / MS15-077 exploit - generic signature" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200" date = "2015-07-21" @@ -36,6 +37,7 @@ rule Exploit_MS15_077_078 { rule Exploit_MS15_077_078_HackingTeam { meta: description = "MS15-078 / MS15-077 exploit - Hacking Team code" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-07-21" super_rule = 1 diff --git a/yara/exploit_cve_2015_2545.yar b/yara/exploit_cve_2015_2545.yar index 98ee67c..41d48a2 100644 --- a/yara/exploit_cve_2015_2545.yar +++ b/yara/exploit_cve_2015_2545.yar @@ -2,6 +2,7 @@ rule Exp_EPS_CVE20152545 { meta: description = "Detects EPS Word Exploit CVE-2015-2545" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - ME" date = "2017-07-19" diff --git a/yara/exploit_cve_2015_5119.yar b/yara/exploit_cve_2015_5119.yar index 34b06a9..d7f6b15 100644 --- a/yara/exploit_cve_2015_5119.yar +++ b/yara/exploit_cve_2015_5119.yar @@ -2,7 +2,8 @@ rule Flash_CVE_2015_5119_APT3_leg { meta: description = "Exploit Sample CVE-2015-5119" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 70 yaraexchange = "No distribution without author's consent" date = "2015-08-01" diff --git a/yara/exploit_cve_2017_11882.yar b/yara/exploit_cve_2017_11882.yar index 8c45ea5..aba78c1 100644 --- a/yara/exploit_cve_2017_11882.yar +++ b/yara/exploit_cve_2017_11882.yar @@ -55,6 +55,7 @@ rule packager_cve2017_11882 { rule CVE_2017_11882_RTF { meta: description = "Detects suspicious Microsoft Equation OLE contents as used in CVE-2017-11882" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-02-13" diff --git a/yara/exploit_cve_2017_8759.yar b/yara/exploit_cve_2017_8759.yar index 1d33ca8..19832b6 100644 --- a/yara/exploit_cve_2017_8759.yar +++ b/yara/exploit_cve_2017_8759.yar @@ -18,6 +18,7 @@ private rule RTFFILE { rule CVE_2017_8759_Mal_HTA { meta: description = "Detects malicious files related to CVE-2017-8759 - file cmd.hta" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample" date = "2017-09-14" @@ -31,6 +32,7 @@ rule CVE_2017_8759_Mal_HTA { rule CVE_2017_8759_Mal_Doc { meta: description = "Detects malicious files related to CVE-2017-8759 - file Doc1.doc" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample" date = "2017-09-14" @@ -49,6 +51,7 @@ rule CVE_2017_8759_Mal_Doc { rule CVE_2017_8759_SOAP_via_JS { meta: description = "Detects SOAP WDSL Download via JavaScript" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/buffaloverflow/status/907728364278087680" date = "2017-09-14" @@ -63,6 +66,7 @@ rule CVE_2017_8759_SOAP_via_JS { rule CVE_2017_8759_SOAP_Excel { meta: description = "Detects malicious files related to CVE-2017-8759" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/buffaloverflow/status/908455053345869825" date = "2017-09-15" @@ -76,6 +80,7 @@ rule CVE_2017_8759_SOAP_Excel { rule CVE_2017_8759_SOAP_txt { meta: description = "Detects malicious file in releation with CVE-2017-8759 - file exploit.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample" date = "2017-09-14" diff --git a/yara/exploit_cve_2017_9800.yar b/yara/exploit_cve_2017_9800.yar index d12d7c7..fafe9f0 100644 --- a/yara/exploit_cve_2017_9800.yar +++ b/yara/exploit_cve_2017_9800.yar @@ -2,6 +2,7 @@ rule git_CVE_2017_9800_poc { meta: description = "Detects a CVE-2017-9800 exploitation attempt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/mzbat/status/895811803325898753" date = "2017-08-11" diff --git a/yara/exploit_uac_elevators.yar b/yara/exploit_uac_elevators.yar index b88f848..d05798a 100644 --- a/yara/exploit_uac_elevators.yar +++ b/yara/exploit_uac_elevators.yar @@ -2,6 +2,7 @@ rule Win7Elevatev2 { meta: description = "Detects Win7Elevate - Windows UAC bypass utility" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html" date = "2015-05-14" @@ -33,6 +34,7 @@ rule Win7Elevatev2 { rule UACME_Akagi { meta: description = "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/hfiref0x/UACME" date = "2015-05-14" @@ -62,6 +64,7 @@ rule UACME_Akagi { rule UACElevator { meta: description = "UACElevator bypassing UAC - file UACElevator.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/MalwareTech/UACElevator" date = "2015-05-14" @@ -86,6 +89,7 @@ rule UACElevator { rule s4u { meta: description = "Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/aurel26/s-4-u-for-windows" date = "2015-06-05" @@ -143,6 +147,7 @@ rule s4u { rule UACME_Akagi_2 { meta: description = "Detects Windows User Account Control Bypass - from files Akagi32.exe, Akagi64.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/hfiref0x/UACME" date = "2017-02-03" diff --git a/yara/gen_armitage.yar b/yara/gen_armitage.yar index 5c25b06..f817d81 100644 --- a/yara/gen_armitage.yar +++ b/yara/gen_armitage.yar @@ -14,6 +14,7 @@ rule Armitage_msfconsole { meta: description = "Detects Armitage component" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-12-24" @@ -34,6 +35,7 @@ rule Armitage_msfconsole { rule Armitage_MeterpreterSession_Strings { meta: description = "Detects Armitage component" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-12-24" @@ -52,6 +54,7 @@ rule Armitage_MeterpreterSession_Strings { rule Armitage_OSX { meta: description = "Detects Armitage component" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-12-24" diff --git a/yara/gen_b374k_extra.yar b/yara/gen_b374k_extra.yar index fcfc626..e8e9080 100644 --- a/yara/gen_b374k_extra.yar +++ b/yara/gen_b374k_extra.yar @@ -8,6 +8,7 @@ rule b374k_back_connect { meta: description = "Detects privilege escalation tool" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Analysis" date = "2016-08-18" diff --git a/yara/gen_case_anomalies.yar b/yara/gen_case_anomalies.yar index 6afd176..45de541 100644 --- a/yara/gen_case_anomalies.yar +++ b/yara/gen_case_anomalies.yar @@ -11,6 +11,7 @@ rule PowerShell_Case_Anomaly { meta: description = "Detects obfuscated PowerShell hacktools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/danielhbohannon/status/905096106924761088" date = "2017-08-11" @@ -55,6 +56,7 @@ rule PowerShell_Case_Anomaly { rule WScriptShell_Case_Anomaly { meta: description = "Detects obfuscated wscript.shell commands" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-09-11" diff --git a/yara/gen_chaos_payload.yar b/yara/gen_chaos_payload.yar index 02486c5..efebe44 100644 --- a/yara/gen_chaos_payload.yar +++ b/yara/gen_chaos_payload.yar @@ -11,6 +11,7 @@ rule CHAOS_Payload { meta: description = "Detects a CHAOS back connect payload" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/tiagorlampert/CHAOS" date = "2017-07-15" diff --git a/yara/gen_cn_hacktool_scripts.yar b/yara/gen_cn_hacktool_scripts.yar index b9a29ff..3b34149 100644 --- a/yara/gen_cn_hacktool_scripts.yar +++ b/yara/gen_cn_hacktool_scripts.yar @@ -10,7 +10,8 @@ rule CN_Tools_xbat { meta: description = "Chinese Hacktool Set - file xbat.vbs" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a7005acda381a09803b860f04d4cae3fdb65d594" @@ -24,7 +25,8 @@ rule CN_Tools_xbat { rule CN_Tools_Temp { meta: description = "Chinese Hacktool Set - file Temp.war" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "c3327ef63b0ed64c4906e9940ef877c76ebaff58" @@ -40,7 +42,8 @@ rule CN_Tools_Temp { rule CN_Tools_srss { meta: description = "Chinese Hacktool Set - file srss.bat" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "092ab0797947692a247fe80b100fb4df0f9c37a0" @@ -54,7 +57,8 @@ rule CN_Tools_srss { rule dll_UnReg { meta: description = "Chinese Hacktool Set - file UnReg.bat" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "d5e24ba86781c332d0c99dea62f42b14e893d17e" @@ -68,7 +72,8 @@ rule dll_UnReg { rule dll_Reg { meta: description = "Chinese Hacktool Set - file Reg.bat" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "cb8a92fe256a3e5b869f9564ecd1aa9c5c886e3f" @@ -82,7 +87,8 @@ rule dll_Reg { rule sbin_squid { meta: description = "Chinese Hacktool Set - file squid.bat" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "8b795a8085c3e6f3d764ebcfe6d59e26fdb91969" @@ -98,7 +104,8 @@ rule sbin_squid { rule sql1433_creck { meta: description = "Chinese Hacktool Set - file creck.bat" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "189c11a3b268789a3fbcfac3bd4e03cbfde87b1d" @@ -113,7 +120,8 @@ rule sql1433_creck { rule sql1433_Start { meta: description = "Chinese Hacktool Set - file Start.bat" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "bd4be10f4c3a982647b2da1a8fb2e19de34eaf01" diff --git a/yara/gen_cn_hacktools.yar b/yara/gen_cn_hacktools.yar index aa12a00..43158ba 100644 --- a/yara/gen_cn_hacktools.yar +++ b/yara/gen_cn_hacktools.yar @@ -9,6 +9,7 @@ rule mswin_check_lm_group { meta: description = "Chinese Hacktool Set - file mswin_check_lm_group.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -24,6 +25,7 @@ rule mswin_check_lm_group { rule WAF_Bypass { meta: description = "Chinese Hacktool Set - file WAF-Bypass.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -42,6 +44,7 @@ rule WAF_Bypass { rule Guilin_veterans_cookie_spoofing_tool { meta: description = "Chinese Hacktool Set - file Guilin veterans cookie spoofing tool.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -58,6 +61,7 @@ rule Guilin_veterans_cookie_spoofing_tool { rule MarathonTool { meta: description = "Chinese Hacktool Set - file MarathonTool.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -73,6 +77,7 @@ rule MarathonTool { rule PLUGIN_TracKid { meta: description = "Chinese Hacktool Set - file TracKid.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -91,6 +96,7 @@ rule PLUGIN_TracKid { rule Pc_pc2015 { meta: description = "Chinese Hacktool Set - file pc2015.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -106,6 +112,7 @@ rule Pc_pc2015 { rule sekurlsa { meta: description = "Chinese Hacktool Set - file sekurlsa.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -122,6 +129,7 @@ rule sekurlsa { rule mysqlfast { meta: description = "Chinese Hacktool Set - file mysqlfast.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -140,6 +148,7 @@ rule mysqlfast { rule DTools2_02_DTools { meta: description = "Chinese Hacktool Set - file DTools.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -158,6 +167,7 @@ rule DTools2_02_DTools { rule dll_PacketX { meta: description = "Chinese Hacktool Set - file PacketX.dll - ActiveX wrapper for WinPcap packet capture library" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -173,6 +183,7 @@ rule dll_PacketX { rule SqlDbx_zhs { meta: description = "Chinese Hacktool Set - file SqlDbx_zhs.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -192,6 +203,7 @@ rule SqlDbx_zhs { rule ms10048_x86 { meta: description = "Chinese Hacktool Set - file ms10048-x86.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -210,6 +222,7 @@ rule ms10048_x86 { rule Dos_ch { meta: description = "Chinese Hacktool Set - file ch.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -228,6 +241,7 @@ rule Dos_ch { rule DUBrute_DUBrute { meta: description = "Chinese Hacktool Set - file DUBrute.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -244,6 +258,7 @@ rule DUBrute_DUBrute { rule CookieTools { meta: description = "Chinese Hacktool Set - file CookieTools.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -261,6 +276,7 @@ rule CookieTools { rule update_PcInit { meta: description = "Chinese Hacktool Set - file PcInit.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -279,6 +295,7 @@ rule update_PcInit { rule dat_NaslLib { meta: description = "Chinese Hacktool Set - file NaslLib.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -294,6 +311,7 @@ rule dat_NaslLib { rule Dos_1 { meta: description = "Chinese Hacktool Set - file 1.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -308,6 +326,7 @@ rule Dos_1 { rule OtherTools_servu { meta: description = "Chinese Hacktool Set - file svu.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -324,6 +343,7 @@ rule OtherTools_servu { rule ustrrefadd { meta: description = "Chinese Hacktool Set - file ustrrefadd.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -341,6 +361,7 @@ rule ustrrefadd { rule XScanLib { meta: description = "Chinese Hacktool Set - file XScanLib.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -357,6 +378,7 @@ rule XScanLib { rule IDTools_For_WinXP_IdtTool { meta: description = "Chinese Hacktool Set - file IdtTool.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -372,6 +394,7 @@ rule IDTools_For_WinXP_IdtTool { rule GoodToolset_ms11046 { meta: description = "Chinese Hacktool Set - file ms11046.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -389,6 +412,7 @@ rule GoodToolset_ms11046 { rule Cmdshell32 { meta: description = "Chinese Hacktool Set - file Cmdshell32.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -404,6 +428,7 @@ rule Cmdshell32 { rule Sniffer_analyzer_SSClone_1210_full_version { meta: description = "Chinese Hacktool Set - file Sniffer analyzer SSClone 1210 full version.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -420,6 +445,7 @@ rule Sniffer_analyzer_SSClone_1210_full_version { rule x64_klock { meta: description = "Chinese Hacktool Set - file klock.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -436,6 +462,7 @@ rule x64_klock { rule Dos_Down32 { meta: description = "Chinese Hacktool Set - file Down32.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -451,6 +478,7 @@ rule Dos_Down32 { rule MarathonTool_2 { meta: description = "Chinese Hacktool Set - file MarathonTool.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -466,6 +494,7 @@ rule MarathonTool_2 { rule scanms_scanms { meta: description = "Chinese Hacktool Set - file scanms.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -483,6 +512,7 @@ rule scanms_scanms { rule CN_Tools_PcShare { meta: description = "Chinese Hacktool Set - file PcShare.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -502,6 +532,7 @@ rule CN_Tools_PcShare { rule pw_inspector { meta: description = "Chinese Hacktool Set - file pw-inspector.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -517,6 +548,7 @@ rule pw_inspector { rule Dll_LoadEx { meta: description = "Chinese Hacktool Set - file Dll_LoadEx.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -536,6 +568,7 @@ rule Dll_LoadEx { rule dat_report { meta: description = "Chinese Hacktool Set - file report.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -550,6 +583,7 @@ rule dat_report { rule Dos_iis7 { meta: description = "Chinese Hacktool Set - file iis7.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -567,6 +601,7 @@ rule Dos_iis7 { rule SwitchSniffer { meta: description = "Chinese Hacktool Set - file SwitchSniffer.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -581,6 +616,7 @@ rule SwitchSniffer { rule dbexpora { meta: description = "Chinese Hacktool Set - file dbexpora.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -596,6 +632,7 @@ rule dbexpora { rule SQLCracker { meta: description = "Chinese Hacktool Set - file SQLCracker.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -613,6 +650,7 @@ rule SQLCracker { rule FreeVersion_debug { meta: description = "Chinese Hacktool Set - file debug.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -632,6 +670,7 @@ rule FreeVersion_debug { rule Dos_look { meta: description = "Chinese Hacktool Set - file look.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -647,6 +686,7 @@ rule Dos_look { rule NtGodMode { meta: description = "Chinese Hacktool Set - file NtGodMode.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -664,6 +704,7 @@ rule NtGodMode { rule WebCrack4_RouterPasswordCracking { meta: description = "Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -681,6 +722,7 @@ rule WebCrack4_RouterPasswordCracking { rule hscan_gui { meta: description = "Chinese Hacktool Set - file hscan-gui.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -696,6 +738,7 @@ rule hscan_gui { rule S_MultiFunction_Scanners_s { meta: description = "Chinese Hacktool Set - file s.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -720,6 +763,7 @@ rule S_MultiFunction_Scanners_s { rule Dos_GetPass { meta: description = "Chinese Hacktool Set - file GetPass.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -737,6 +781,7 @@ rule Dos_GetPass { rule update_PcMain { meta: description = "Chinese Hacktool Set - file PcMain.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -761,6 +806,7 @@ rule update_PcMain { rule Dos_sys { meta: description = "Chinese Hacktool Set - file sys.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -777,6 +823,7 @@ rule Dos_sys { rule dat_xpf { meta: description = "Chinese Hacktool Set - file xpf.sys" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -792,6 +839,7 @@ rule dat_xpf { rule Project1 { meta: description = "Chinese Hacktool Set - file Project1.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -807,6 +855,7 @@ rule Project1 { rule Arp_EMP_v1_0 { meta: description = "Chinese Hacktool Set - file Arp EMP v1.0.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -820,6 +869,7 @@ rule Arp_EMP_v1_0 { rule CN_Tools_MyUPnP { meta: description = "Chinese Hacktool Set - file MyUPnP.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -835,6 +885,7 @@ rule CN_Tools_MyUPnP { rule CN_Tools_Shiell { meta: description = "Chinese Hacktool Set - file Shiell.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -851,6 +902,7 @@ rule CN_Tools_Shiell { rule cndcom_cndcom { meta: description = "Chinese Hacktool Set - file cndcom.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -871,6 +923,7 @@ rule cndcom_cndcom { rule IsDebug_V1_4 { meta: description = "Chinese Hacktool Set - file IsDebug V1.4.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -891,6 +944,7 @@ rule IsDebug_V1_4 { rule HTTPSCANNER { meta: description = "Chinese Hacktool Set - file HTTPSCANNER.EXE" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -905,6 +959,7 @@ rule HTTPSCANNER { rule HScan_v1_20_PipeCmd { meta: description = "Chinese Hacktool Set - file PipeCmd.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -926,6 +981,7 @@ rule HScan_v1_20_PipeCmd { rule Dos_fp { meta: description = "Chinese Hacktool Set - file fp.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -942,6 +998,7 @@ rule Dos_fp { rule Dos_netstat { meta: description = "Chinese Hacktool Set - file netstat.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -958,6 +1015,7 @@ rule Dos_netstat { rule CN_Tools_xsniff { meta: description = "Chinese Hacktool Set - file xsniff.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -975,6 +1033,7 @@ rule CN_Tools_xsniff { rule MSSqlPass { meta: description = "Chinese Hacktool Set - file MSSqlPass.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -990,6 +1049,7 @@ rule MSSqlPass { rule WSockExpert { meta: description = "Chinese Hacktool Set - file WSockExpert.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1008,6 +1068,7 @@ rule WSockExpert { rule Ms_Viru_racle { meta: description = "Chinese Hacktool Set - file racle.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1024,6 +1085,7 @@ rule Ms_Viru_racle { rule lamescan3 { meta: description = "Chinese Hacktool Set - file lamescan3.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1040,6 +1102,7 @@ rule lamescan3 { rule CN_Tools_pc { meta: description = "Chinese Hacktool Set - file pc.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1056,6 +1119,7 @@ rule CN_Tools_pc { rule Dos_Down64 { meta: description = "Chinese Hacktool Set - file Down64.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1074,6 +1138,7 @@ rule Dos_Down64 { rule epathobj_exp32 { meta: description = "Chinese Hacktool Set - file epathobj_exp32.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1091,6 +1156,7 @@ rule epathobj_exp32 { rule Tools_unknown { meta: description = "Chinese Hacktool Set - file unknown.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1108,6 +1174,7 @@ rule Tools_unknown { rule PLUGIN_AJunk { meta: description = "Chinese Hacktool Set - file AJunk.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1123,6 +1190,7 @@ rule PLUGIN_AJunk { rule IISPutScanner { meta: description = "Chinese Hacktool Set - file IISPutScanner.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1166,6 +1234,7 @@ rule IISPutScanner { rule IDTools_For_WinXP_IdtTool_2 { meta: description = "Chinese Hacktool Set - file IdtTool.sys" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1183,6 +1252,7 @@ rule IDTools_For_WinXP_IdtTool_2 { rule hkmjjiis6 { meta: description = "Chinese Hacktool Set - file hkmjjiis6.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1204,6 +1274,7 @@ rule hkmjjiis6 { rule Dos_lcx { meta: description = "Chinese Hacktool Set - file lcx.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1228,6 +1299,7 @@ rule Dos_lcx { rule x_way2_5_X_way { meta: description = "Chinese Hacktool Set - file X-way.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1249,6 +1321,7 @@ rule x_way2_5_X_way { rule tools_Sqlcmd { meta: description = "Chinese Hacktool Set - file Sqlcmd.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1268,6 +1341,7 @@ rule tools_Sqlcmd { rule Sword1_5 { meta: description = "Chinese Hacktool Set - file Sword1.5.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1287,6 +1361,7 @@ rule Sword1_5 { rule Tools_scan { meta: description = "Chinese Hacktool Set - file scan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1302,6 +1377,7 @@ rule Tools_scan { rule Dos_c { meta: description = "Chinese Hacktool Set - file c.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1321,6 +1397,7 @@ rule Dos_c { rule arpsniffer { meta: description = "Chinese Hacktool Set - file arpsniffer.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1338,6 +1415,7 @@ rule arpsniffer { rule pw_inspector_2 { meta: description = "Chinese Hacktool Set - file pw-inspector.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1354,6 +1432,7 @@ rule pw_inspector_2 { rule datPcShare { meta: description = "Chinese Hacktool Set - file datPcShare.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1370,6 +1449,7 @@ rule datPcShare { rule Tools_xport { meta: description = "Chinese Hacktool Set - file xport.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1391,6 +1471,7 @@ rule Tools_xport { rule Pc_xai { meta: description = "Chinese Hacktool Set - file xai.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1410,6 +1491,7 @@ rule Pc_xai { rule Radmin_Hash { meta: description = "Chinese Hacktool Set - file Radmin_Hash.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1427,6 +1509,7 @@ rule Radmin_Hash { rule OSEditor { meta: description = "Chinese Hacktool Set - file OSEditor.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1444,6 +1527,7 @@ rule OSEditor { rule GoodToolset_ms11011 { meta: description = "Chinese Hacktool Set - file ms11011.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1460,6 +1544,7 @@ rule GoodToolset_ms11011 { rule FreeVersion_release { meta: description = "Chinese Hacktool Set - file release.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1478,6 +1563,7 @@ rule FreeVersion_release { rule churrasco { meta: description = "Chinese Hacktool Set - file churrasco.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1494,6 +1580,7 @@ rule churrasco { rule x64_KiwiCmd { meta: description = "Chinese Hacktool Set - file KiwiCmd.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1509,6 +1596,7 @@ rule x64_KiwiCmd { rule sql1433_SQL { meta: description = "Chinese Hacktool Set - file SQL.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1525,6 +1613,7 @@ rule sql1433_SQL { rule CookieTools2 { meta: description = "Chinese Hacktool Set - file CookieTools2.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1541,6 +1630,7 @@ rule CookieTools2 { rule cyclotron { meta: description = "Chinese Hacktool Set - file cyclotron.sys" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1558,6 +1648,7 @@ rule cyclotron { rule xscan_gui { meta: description = "Chinese Hacktool Set - file xscan_gui.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1574,6 +1665,7 @@ rule xscan_gui { rule CN_Tools_hscan { meta: description = "Chinese Hacktool Set - file hscan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1594,6 +1686,7 @@ rule CN_Tools_hscan { rule GoodToolset_pr { meta: description = "Chinese Hacktool Set - file pr.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1612,6 +1705,7 @@ rule GoodToolset_pr { rule hydra_7_4_1_hydra { meta: description = "Chinese Hacktool Set - file hydra.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1630,6 +1724,7 @@ rule hydra_7_4_1_hydra { rule CN_Tools_srss_2 { meta: description = "Chinese Hacktool Set - file srss.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1652,6 +1747,7 @@ rule CN_Tools_srss_2 { rule Dos_NtGod { meta: description = "Chinese Hacktool Set - file NtGod.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1668,6 +1764,7 @@ rule Dos_NtGod { rule CN_Tools_VNCLink { meta: description = "Chinese Hacktool Set - file VNCLink.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1683,6 +1780,7 @@ rule CN_Tools_VNCLink { rule tools_NTCmd { meta: description = "Chinese Hacktool Set - file NTCmd.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1701,6 +1799,7 @@ rule tools_NTCmd { rule mysql_pwd_crack { meta: description = "Chinese Hacktool Set - file mysql_pwd_crack.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1718,6 +1817,7 @@ rule mysql_pwd_crack { rule CmdShell64 { meta: description = "Chinese Hacktool Set - file CmdShell64.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1737,6 +1837,7 @@ rule CmdShell64 { rule Ms_Viru_v { meta: description = "Chinese Hacktool Set - file v.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1755,6 +1856,7 @@ rule Ms_Viru_v { rule CN_Tools_Vscan { meta: description = "Chinese Hacktool Set - file Vscan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1772,6 +1874,7 @@ rule CN_Tools_Vscan { rule Dos_iis { meta: description = "Chinese Hacktool Set - file iis.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1791,6 +1894,7 @@ rule Dos_iis { rule IISPutScannesr { meta: description = "Chinese Hacktool Set - file IISPutScannesr.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1805,6 +1909,7 @@ rule IISPutScannesr { rule Generate { meta: description = "Chinese Hacktool Set - file Generate.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1822,6 +1927,7 @@ rule Generate { rule Pc_rejoice { meta: description = "Chinese Hacktool Set - file rejoice.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1840,6 +1946,7 @@ rule Pc_rejoice { rule ms11080_withcmd { meta: description = "Chinese Hacktool Set - file ms11080_withcmd.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1857,6 +1964,7 @@ rule ms11080_withcmd { rule OtherTools_xiaoa { meta: description = "Chinese Hacktool Set - file xiaoa.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1875,6 +1983,7 @@ rule OtherTools_xiaoa { rule unknown2 { meta: description = "Chinese Hacktool Set - file unknown2.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1894,6 +2003,7 @@ rule unknown2 { rule hydra_7_3_hydra { meta: description = "Chinese Hacktool Set - file hydra.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1911,6 +2021,7 @@ rule hydra_7_3_hydra { rule OracleScan { meta: description = "Chinese Hacktool Set - file OracleScan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1927,6 +2038,7 @@ rule OracleScan { rule SQLTools { meta: description = "Chinese Hacktool Set - file SQLTools.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1946,6 +2058,7 @@ rule SQLTools { rule portscanner { meta: description = "Chinese Hacktool Set - file portscanner.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1962,6 +2075,7 @@ rule portscanner { rule kappfree { meta: description = "Chinese Hacktool Set - file kappfree.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1977,6 +2091,7 @@ rule kappfree { rule Smartniff { meta: description = "Chinese Hacktool Set - file Smartniff.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -1992,6 +2107,7 @@ rule Smartniff { rule ChinaChopper_caidao { meta: description = "Chinese Hacktool Set - file caidao.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2010,6 +2126,7 @@ rule ChinaChopper_caidao { rule KiwiTaskmgr_2 { meta: description = "Chinese Hacktool Set - file KiwiTaskmgr.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2025,6 +2142,7 @@ rule KiwiTaskmgr_2 { rule kappfree_2 { meta: description = "Chinese Hacktool Set - file kappfree.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2041,6 +2159,7 @@ rule kappfree_2 { rule x_way2_5_sqlcmd { meta: description = "Chinese Hacktool Set - file sqlcmd.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2069,6 +2188,7 @@ rule x_way2_5_sqlcmd { rule Win32_klock { meta: description = "Chinese Hacktool Set - file klock.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2084,6 +2204,7 @@ rule Win32_klock { rule ipsearcher { meta: description = "Chinese Hacktool Set - file ipsearcher.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2100,6 +2221,7 @@ rule ipsearcher { rule ms10048_x64 { meta: description = "Chinese Hacktool Set - file ms10048-x64.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2116,6 +2238,7 @@ rule ms10048_x64 { rule hscangui { meta: description = "Chinese Hacktool Set - file hscangui.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2132,6 +2255,7 @@ rule hscangui { rule GoodToolset_ms11080 { meta: description = "Chinese Hacktool Set - file ms11080.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2150,6 +2274,7 @@ rule GoodToolset_ms11080 { rule epathobj_exp64 { meta: description = "Chinese Hacktool Set - file epathobj_exp64.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2168,6 +2293,7 @@ rule epathobj_exp64 { rule kelloworld_2 { meta: description = "Chinese Hacktool Set - file kelloworld.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2183,6 +2309,7 @@ rule kelloworld_2 { rule HScan_v1_20_hscan { meta: description = "Chinese Hacktool Set - file hscan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2200,6 +2327,7 @@ rule HScan_v1_20_hscan { rule _Project1_Generate_rejoice { meta: description = "Chinese Hacktool Set - from files Project1.exe, Generate.exe, rejoice.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2221,6 +2349,7 @@ rule _Project1_Generate_rejoice { rule _hscan_hscan_hscangui { meta: description = "Chinese Hacktool Set - from files hscan.exe, hscan.exe, hscangui.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2241,6 +2370,7 @@ rule _hscan_hscan_hscangui { rule kiwi_tools { meta: description = "Chinese Hacktool Set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" @@ -2274,6 +2404,7 @@ rule kiwi_tools { rule kiwi_tools_gentil_kiwi { meta: description = "Chinese Hacktool Set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" diff --git a/yara/gen_cn_webshells.yar b/yara/gen_cn_webshells.yar index 269143f..ea53e3a 100644 --- a/yara/gen_cn_webshells.yar +++ b/yara/gen_cn_webshells.yar @@ -10,7 +10,8 @@ rule Tools_cmd { meta: description = "Chinese Hacktool Set - file cmd.jSp" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "02e37b95ef670336dc95331ec73dbb5a86f3ba2b" @@ -33,7 +34,8 @@ rule Tools_cmd { rule trigger_drop { meta: description = "Chinese Hacktool Set - file trigger_drop.php" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "165dd2d82bf87285c8a53ad1ede6d61a90837ba4" @@ -49,7 +51,8 @@ rule trigger_drop { rule InjectionParameters { meta: description = "Chinese Hacktool Set - file InjectionParameters.vb" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "4f11aa5b3660c45e527606ee33de001f4994e1ea" @@ -63,7 +66,8 @@ rule InjectionParameters { rule users_list { meta: description = "Chinese Hacktool Set - file users_list.php" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "6fba1a1a607198ed232405ccbebf9543037a63ef" @@ -78,7 +82,8 @@ rule users_list { rule trigger_modify { meta: description = "Chinese Hacktool Set - file trigger_modify.php" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "c93cd7a6c3f962381e9bf2b511db9b1639a22de0" @@ -95,7 +100,8 @@ rule trigger_modify { rule Customize { meta: description = "Chinese Hacktool Set - file Customize.aspx" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "db556879dff9a0101a7a26260a5d0dc471242af2" @@ -111,7 +117,8 @@ rule Customize { rule oracle_data { meta: description = "Chinese Hacktool Set - file oracle_data.php" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "6cf070017be117eace4752650ba6cf96d67d2106" @@ -126,7 +133,8 @@ rule oracle_data { rule reDuhServers_reDuh { meta: description = "Chinese Hacktool Set - file reDuh.jsp" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "377886490a86290de53d696864e41d6a547223b0" @@ -141,7 +149,8 @@ rule reDuhServers_reDuh { rule item_old { meta: description = "Chinese Hacktool Set - file item-old.php" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "daae358bde97e534bc7f2b0134775b47ef57e1da" @@ -156,7 +165,8 @@ rule item_old { rule Tools_2014 { meta: description = "Chinese Hacktool Set - file 2014.jsp" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "74518faf08637c53095697071db09d34dbe8d676" @@ -171,7 +181,8 @@ rule Tools_2014 { rule reDuhServers_reDuh_2 { meta: description = "Chinese Hacktool Set - file reDuh.php" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "512d0a3e7bb7056338ad0167f485a8a6fa1532a3" @@ -186,7 +197,8 @@ rule reDuhServers_reDuh_2 { rule Customize_2 { meta: description = "Chinese Hacktool Set - file Customize.jsp" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "37cd17543e14109d3785093e150652032a85d734" @@ -200,7 +212,8 @@ rule Customize_2 { rule ChinaChopper_one { meta: description = "Chinese Hacktool Set - file one.asp" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "6cd28163be831a58223820e7abe43d5eacb14109" @@ -213,7 +226,8 @@ rule ChinaChopper_one { rule CN_Tools_old { meta: description = "Chinese Hacktool Set - file old.php" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "f8a007758fda8aa1c0af3c43f3d7e3186a9ff307" @@ -229,7 +243,8 @@ rule CN_Tools_old { rule item_301 { meta: description = "Chinese Hacktool Set - file item-301.php" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "15636f0e7dc062437608c1f22b1d39fa15ab2136" @@ -245,7 +260,8 @@ rule item_301 { rule CN_Tools_item { meta: description = "Chinese Hacktool Set - file item.php" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a584db17ad93f88e56fd14090fae388558be08e4" @@ -261,7 +277,8 @@ rule CN_Tools_item { rule f3_diy { meta: description = "Chinese Hacktool Set - file diy.asp" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "f39c2f64abe5e86d8d36dbb7b1921c7eab63bec9" @@ -275,7 +292,8 @@ rule f3_diy { rule ChinaChopper_temp { meta: description = "Chinese Hacktool Set - file temp.asp" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b0561ea52331c794977d69704345717b4eb0a2a7" @@ -291,7 +309,8 @@ rule ChinaChopper_temp { rule Tools_2015 { meta: description = "Chinese Hacktool Set - file 2015.jsp" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "8fc67359567b78cadf5d5c91a623de1c1d2ab689" @@ -308,7 +327,8 @@ rule Tools_2015 { rule ChinaChopper_temp_2 { meta: description = "Chinese Hacktool Set - file temp.php" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "604a4c07161ce1cd54aed5566e5720161b59deee" @@ -321,7 +341,8 @@ rule ChinaChopper_temp_2 { rule templatr { meta: description = "Chinese Hacktool Set - file templatr.php" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "759df470103d36a12c7d8cf4883b0c58fe98156b" @@ -334,7 +355,8 @@ rule templatr { rule reDuhServers_reDuh_3 { meta: description = "Chinese Hacktool Set - file reDuh.aspx" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "0744f64c24bf4c0bef54651f7c88a63e452b3b2d" @@ -350,7 +372,8 @@ rule reDuhServers_reDuh_3 { rule ChinaChopper_temp_3 { meta: description = "Chinese Hacktool Set - file temp.aspx" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "c5ecb8bc1d7f0e716b06107b5bd275008acaf7b7" @@ -364,7 +387,8 @@ rule ChinaChopper_temp_3 { rule Shell_Asp { meta: description = "Chinese Hacktool Set Webshells - file Asp.html" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "5e0bc914ac287aa1418f6554ddbe0ce25f2b5f20" @@ -380,7 +404,8 @@ rule Shell_Asp { rule Txt_aspxtag { meta: description = "Chinese Hacktool Set - Webshells - file aspxtag.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "42cb272c02dbd49856816d903833d423d3759948" @@ -395,7 +420,8 @@ rule Txt_aspxtag { rule Txt_php { meta: description = "Chinese Hacktool Set - Webshells - file php.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "eaa1af4b898f44fc954b485d33ce1d92790858d0" @@ -411,7 +437,8 @@ rule Txt_php { rule Txt_aspx1 { meta: description = "Chinese Hacktool Set - Webshells - file aspx1.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "c5ecb8bc1d7f0e716b06107b5bd275008acaf7b7" @@ -425,7 +452,8 @@ rule Txt_aspx1 { rule Txt_shell { meta: description = "Chinese Hacktool Set - Webshells - file shell.c" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "8342b634636ef8b3235db0600a63cc0ce1c06b62" @@ -442,7 +470,8 @@ rule Txt_shell { rule Txt_asp { meta: description = "Chinese Hacktool Set - Webshells - file asp.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "a63549f749f4d9d0861825764e042e299e06a705" @@ -456,7 +485,8 @@ rule Txt_asp { rule Txt_asp1 { meta: description = "Chinese Hacktool Set - Webshells - file asp1.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "95934d05f0884e09911ea9905c74690ace1ef653" @@ -472,7 +502,8 @@ rule Txt_asp1 { rule Txt_php_2 { meta: description = "Chinese Hacktool Set - Webshells - file php.html" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "a7d5fcbd39071e0915c4ad914d31e00c7127bcfc" @@ -492,7 +523,8 @@ rule Txt_php_2 { rule Txt_ftp { meta: description = "Chinese Hacktool Set - Webshells - file ftp.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "3495e6bcb5484e678ce4bae0bd1a420b7eb6ad1d" @@ -511,7 +543,8 @@ rule Txt_ftp { rule Txt_lcx { meta: description = "Chinese Hacktool Set - Webshells - file lcx.c" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "ddb3b6a5c5c22692de539ccb796ede214862befe" @@ -528,7 +561,8 @@ rule Txt_lcx { rule Txt_jspcmd { meta: description = "Chinese Hacktool Set - Webshells - file jspcmd.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "1d4e789031b15adde89a4628afc759859e53e353" @@ -542,7 +576,8 @@ rule Txt_jspcmd { rule Txt_jsp { meta: description = "Chinese Hacktool Set - Webshells - file jsp.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "74518faf08637c53095697071db09d34dbe8d676" @@ -558,7 +593,8 @@ rule Txt_jsp { rule Txt_aspxlcx { meta: description = "Chinese Hacktool Set - Webshells - file aspxlcx.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "453dd3160db17d0d762e032818a5a10baf234e03" @@ -574,7 +610,8 @@ rule Txt_aspxlcx { rule Txt_xiao { meta: description = "Chinese Hacktool Set - Webshells - file xiao.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "b3b98fb57f5f5ccdc42e746e32950834807903b7" @@ -591,7 +628,8 @@ rule Txt_xiao { rule Txt_aspx { meta: description = "Chinese Hacktool Set - Webshells - file aspx.jpg" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "ce24e277746c317d887139a0d71dd250bfb0ed58" @@ -607,7 +645,8 @@ rule Txt_aspx { rule Txt_Sql { meta: description = "Chinese Hacktool Set - Webshells - file Sql.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "f7813f1dfa4eec9a90886c80b88aa38e2adc25d5" @@ -623,7 +662,8 @@ rule Txt_Sql { rule Txt_hello { meta: description = "Chinese Hacktool Set - Webshells - file hello.txt" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-14" hash = "697a9ebcea6a22a16ce1a51437fcb4e1a1d7f079" diff --git a/yara/gen_crimson_rat.yar b/yara/gen_crimson_rat.yar index bf3cd18..22c4b8c 100644 --- a/yara/gen_crimson_rat.yar +++ b/yara/gen_crimson_rat.yar @@ -11,6 +11,7 @@ rule CrimsonRAT_Mar18_1 { meta: description = "Detects CrimsonRAT malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-03-06" diff --git a/yara/gen_crunchrat.yar b/yara/gen_crunchrat.yar index c9dd340..be9ed1e 100644 --- a/yara/gen_crunchrat.yar +++ b/yara/gen_crunchrat.yar @@ -2,6 +2,7 @@ rule CrunchRAT { meta: description = "Detects CrunchRAT - file CrunchRAT.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/t3ntman/CrunchRAT" date = "2017-11-03" diff --git a/yara/gen_deviceguard_evasion.yar b/yara/gen_deviceguard_evasion.yar index 53bad63..a92c904 100644 --- a/yara/gen_deviceguard_evasion.yar +++ b/yara/gen_deviceguard_evasion.yar @@ -1,5 +1,6 @@ rule DeviceGuard_WDS_Evasion { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Detects WDS file used to circumvent Device Guard" score = 80 diff --git a/yara/gen_dropper_pdb.yar b/yara/gen_dropper_pdb.yar index 7dd1a15..2f0f27d 100644 --- a/yara/gen_dropper_pdb.yar +++ b/yara/gen_dropper_pdb.yar @@ -2,6 +2,7 @@ rule Generic_Dropper { meta: description = "Detects Dropper PDB string in file" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/JAHZVL" date = "2018-03-03" diff --git a/yara/gen_empire.yar b/yara/gen_empire.yar index a0500e7..ee59330 100644 --- a/yara/gen_empire.yar +++ b/yara/gen_empire.yar @@ -10,6 +10,7 @@ rule Empire_Invoke_MetasploitPayload { meta: description = "Detects Empire component - file Invoke-MetasploitPayload.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -24,6 +25,7 @@ rule Empire_Invoke_MetasploitPayload { rule Empire_Exploit_Jenkins { meta: description = "Detects Empire component - file Exploit-Jenkins.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -39,6 +41,7 @@ rule Empire_Exploit_Jenkins { rule Empire_Get_SecurityPackages { meta: description = "Detects Empire component - file Get-SecurityPackages.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -53,6 +56,7 @@ rule Empire_Get_SecurityPackages { rule Empire_Invoke_PowerDump { meta: description = "Detects Empire component - file Invoke-PowerDump.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -68,6 +72,7 @@ rule Empire_Invoke_PowerDump { rule Empire_Install_SSP { meta: description = "Detects Empire component - file Install-SSP.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -81,6 +86,7 @@ rule Empire_Install_SSP { rule Empire_Invoke_ShellcodeMSIL { meta: description = "Detects Empire component - file Invoke-ShellcodeMSIL.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -97,6 +103,7 @@ rule Empire_Invoke_ShellcodeMSIL { rule Empire__Users_neo_code_Workspace_Empire_4sigs_PowerUp { meta: description = "Detects Empire component - file PowerUp.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -110,6 +117,7 @@ rule Empire__Users_neo_code_Workspace_Empire_4sigs_PowerUp { rule Empire_Invoke_Mimikatz_Gen { meta: description = "Detects Empire component - file Invoke-Mimikatz.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -124,6 +132,7 @@ rule Empire_Invoke_Mimikatz_Gen { rule Empire_Get_GPPPassword { meta: description = "Detects Empire component - file Get-GPPPassword.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -139,6 +148,7 @@ rule Empire_Get_GPPPassword { rule Empire_Invoke_SmbScanner { meta: description = "Detects Empire component - file Invoke-SmbScanner.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -153,6 +163,7 @@ rule Empire_Invoke_SmbScanner { rule Empire_Exploit_JBoss { meta: description = "Detects Empire component - file Exploit-JBoss.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -170,6 +181,7 @@ rule Empire_Exploit_JBoss { rule Empire_dumpCredStore { meta: description = "Detects Empire component - file dumpCredStore.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -185,6 +197,7 @@ rule Empire_dumpCredStore { rule Empire_Invoke_EgressCheck { meta: description = "Detects Empire component - file Invoke-EgressCheck.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -198,6 +211,7 @@ rule Empire_Invoke_EgressCheck { rule Empire_ReflectivePick_x64_orig { meta: description = "Detects Empire component - file ReflectivePick_x64_orig.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -213,6 +227,7 @@ rule Empire_ReflectivePick_x64_orig { rule Empire_Out_Minidump { meta: description = "Detects Empire component - file Out-Minidump.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -227,6 +242,7 @@ rule Empire_Out_Minidump { rule Empire_Invoke_PsExec { meta: description = "Detects Empire component - file Invoke-PsExec.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -242,6 +258,7 @@ rule Empire_Invoke_PsExec { rule Empire_Invoke_PostExfil { meta: description = "Detects Empire component - file Invoke-PostExfil.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -256,6 +273,7 @@ rule Empire_Invoke_PostExfil { rule Empire_Invoke_SMBAutoBrute { meta: description = "Detects Empire component - file Invoke-SMBAutoBrute.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -270,6 +288,7 @@ rule Empire_Invoke_SMBAutoBrute { rule Empire_Get_Keystrokes { meta: description = "Detects Empire component - file Get-Keystrokes.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -283,6 +302,7 @@ rule Empire_Get_Keystrokes { rule Empire_Invoke_DllInjection { meta: description = "Detects Empire component - file Invoke-DllInjection.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -296,6 +316,7 @@ rule Empire_Invoke_DllInjection { rule Empire_KeePassConfig { meta: description = "Detects Empire component - file KeePassConfig.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -309,6 +330,7 @@ rule Empire_KeePassConfig { rule Empire_Invoke_SSHCommand { meta: description = "Detects Empire component - file Invoke-SSHCommand.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -326,6 +348,7 @@ rule Empire_Invoke_SSHCommand { rule Empire_PowerShell_Framework_Gen1 { meta: description = "Detects Empire component" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -345,6 +368,7 @@ rule Empire_PowerShell_Framework_Gen1 { rule Empire_PowerUp_Gen { meta: description = "Detects Empire component - from files PowerUp.ps1, PowerUp.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -360,6 +384,7 @@ rule Empire_PowerUp_Gen { rule Empire_PowerShell_Framework_Gen2 { meta: description = "Detects Empire component" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -379,6 +404,7 @@ rule Empire_PowerShell_Framework_Gen2 { rule Empire_Agent_Gen { meta: description = "Detects Empire component - from files agent.ps1, agent.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -396,6 +422,7 @@ rule Empire_Agent_Gen { rule Empire_PowerShell_Framework_Gen3 { meta: description = "Detects Empire component" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -414,6 +441,7 @@ rule Empire_PowerShell_Framework_Gen3 { rule Empire_Invoke_InveighRelay_Gen { meta: description = "Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -429,6 +457,7 @@ rule Empire_Invoke_InveighRelay_Gen { rule Empire_KeePassConfig_Gen { meta: description = "Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -443,6 +472,7 @@ rule Empire_KeePassConfig_Gen { rule Empire_Invoke_Portscan_Gen { meta: description = "Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -458,6 +488,7 @@ rule Empire_Invoke_Portscan_Gen { rule Empire_PowerShell_Framework_Gen4 { meta: description = "Detects Empire component" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -484,6 +515,7 @@ rule Empire_PowerShell_Framework_Gen4 { rule Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen { meta: description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -500,6 +532,7 @@ rule Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen { rule Empire_Invoke_Gen { meta: description = "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" @@ -517,6 +550,7 @@ rule Empire_Invoke_Gen { rule Empire_PowerShell_Framework_Gen5 { meta: description = "Detects Empire component" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" diff --git a/yara/gen_enigma_protector.yar b/yara/gen_enigma_protector.yar index 77cb642..24100b9 100644 --- a/yara/gen_enigma_protector.yar +++ b/yara/gen_enigma_protector.yar @@ -8,6 +8,7 @@ rule EnigmaPacker_Rare { meta: description = "Detects an ENIGMA packed executable" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-04-27" diff --git a/yara/gen_floxif.yar b/yara/gen_floxif.yar index 54b873b..60ac188 100644 --- a/yara/gen_floxif.yar +++ b/yara/gen_floxif.yar @@ -2,6 +2,7 @@ rule Malware_Floxif_mpsvc_dll { meta: description = "Malware - Floxif" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-04-07" diff --git a/yara/gen_gen_cactustorch.yar b/yara/gen_gen_cactustorch.yar index fc07064..b7371ce 100644 --- a/yara/gen_gen_cactustorch.yar +++ b/yara/gen_gen_cactustorch.yar @@ -11,6 +11,7 @@ rule CACTUSTORCH { meta: description = "Detects CactusTorch Hacktool" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/mdsecactivebreach/CACTUSTORCH" date = "2017-07-31" diff --git a/yara/gen_gpp_cpassword.yar b/yara/gen_gpp_cpassword.yar index 6888418..362b058 100644 --- a/yara/gen_gpp_cpassword.yar +++ b/yara/gen_gpp_cpassword.yar @@ -2,7 +2,8 @@ rule Groups_cpassword { meta: description = "Groups XML contains cpassword value, which is decrypted password - key is in MSDN http://goo.gl/mHrC8P" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" reference = "http://www.grouppolicy.biz/2013/11/why-passwords-in-group-policy-preference-are-very-bad/" date = "2015-09-08" score = 50 diff --git a/yara/gen_hawkeye.yar b/yara/gen_hawkeye.yar index 80a92f0..82251e0 100644 --- a/yara/gen_hawkeye.yar +++ b/yara/gen_hawkeye.yar @@ -2,6 +2,7 @@ rule HawkEye_Keylogger_Feb18_1 { meta: description = "Detects HawkEye keylogger variante observed in February 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9" date = "2018-02-12" diff --git a/yara/gen_hta_anomalies.yar b/yara/gen_hta_anomalies.yar index 3109b1d..274aeb2 100644 --- a/yara/gen_hta_anomalies.yar +++ b/yara/gen_hta_anomalies.yar @@ -11,6 +11,7 @@ rule HTA_with_WScript_Shell { meta: description = "Detects WScript Shell in HTA" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/msftmmpc/status/877396932758560768" date = "2017-06-21" @@ -26,6 +27,7 @@ rule HTA_with_WScript_Shell { rule HTA_Embedded { meta: description = "Detects an embedded HTA file" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/msftmmpc/status/877396932758560768" date = "2017-06-21" diff --git a/yara/gen_impacket_tools.yar b/yara/gen_impacket_tools.yar index d41dcef..4a7a0f7 100644 --- a/yara/gen_impacket_tools.yar +++ b/yara/gen_impacket_tools.yar @@ -11,6 +11,7 @@ rule Impacket_Tools_tracer { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -26,6 +27,7 @@ rule Impacket_Tools_tracer { rule Impacket_Tools_wmiexec { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -41,6 +43,7 @@ rule Impacket_Tools_wmiexec { rule Impacket_Tools_sniffer { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -55,6 +58,7 @@ rule Impacket_Tools_sniffer { rule Impacket_Tools_mmcexec { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -69,6 +73,7 @@ rule Impacket_Tools_mmcexec { rule Impacket_Tools_ifmap { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -83,6 +88,7 @@ rule Impacket_Tools_ifmap { rule karmaSMB { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -96,6 +102,7 @@ rule karmaSMB { rule samrdump { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -110,6 +117,7 @@ rule samrdump { rule Impacket_Tools_rpcdump { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -124,6 +132,7 @@ rule Impacket_Tools_rpcdump { rule Impacket_Tools_secretsdump { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -138,6 +147,7 @@ rule Impacket_Tools_secretsdump { rule Impacket_Tools_esentutl { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -152,6 +162,7 @@ rule Impacket_Tools_esentutl { rule Impacket_Tools_opdump { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -166,6 +177,7 @@ rule Impacket_Tools_opdump { rule Impacket_Tools_sniff { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -180,6 +192,7 @@ rule Impacket_Tools_sniff { rule Impacket_Tools_smbexec { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -194,6 +207,7 @@ rule Impacket_Tools_smbexec { rule Impacket_Tools_goldenPac { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -209,6 +223,7 @@ rule Impacket_Tools_goldenPac { rule Impacket_Tools_netview { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -224,6 +239,7 @@ rule Impacket_Tools_netview { rule Impacket_Tools_smbtorture { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -238,6 +254,7 @@ rule Impacket_Tools_smbtorture { rule Impacket_Tools_mimikatz { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -253,6 +270,7 @@ rule Impacket_Tools_mimikatz { rule Impacket_Tools_smbrelayx { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -269,6 +287,7 @@ rule Impacket_Tools_smbrelayx { rule Impacket_Tools_wmipersist { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -283,6 +302,7 @@ rule Impacket_Tools_wmipersist { rule Impacket_Tools_lookupsid { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -297,6 +317,7 @@ rule Impacket_Tools_lookupsid { rule Impacket_Tools_wmiquery { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -311,6 +332,7 @@ rule Impacket_Tools_wmiquery { rule Impacket_Tools_atexec { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -327,6 +349,7 @@ rule Impacket_Tools_atexec { rule Impacket_Tools_psexec { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" @@ -342,6 +365,7 @@ rule Impacket_Tools_psexec { rule Impacket_Tools_Generic_1 { meta: description = "Compiled Impacket Tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/maaaaz/impacket-examples-windows" date = "2017-04-07" diff --git a/yara/gen_invoke_mimikatz.yar b/yara/gen_invoke_mimikatz.yar index 12c5b93..dcd1fac 100644 --- a/yara/gen_invoke_mimikatz.yar +++ b/yara/gen_invoke_mimikatz.yar @@ -10,6 +10,7 @@ rule Invoke_Mimikatz { meta: description = "Detects Invoke-Mimikatz String" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz" date = "2016-08-03" diff --git a/yara/gen_invoke_psimage.yar b/yara/gen_invoke_psimage.yar index d826e7c..e299241 100644 --- a/yara/gen_invoke_psimage.yar +++ b/yara/gen_invoke_psimage.yar @@ -2,6 +2,7 @@ rule Invoke_PSImage { meta: description = "Detects a command to execute PowerShell from String" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/peewpw/Invoke-PSImage" date = "2017-12-16" diff --git a/yara/gen_invoke_thehash.yar b/yara/gen_invoke_thehash.yar index b797b2a..6a2f15d 100644 --- a/yara/gen_invoke_thehash.yar +++ b/yara/gen_invoke_thehash.yar @@ -12,6 +12,7 @@ rule Invoke_SMBExec { meta: description = "Detects Invoke-WmiExec or Invoke-SmbExec" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Kevin-Robertson/Invoke-TheHash" date = "2017-06-14" @@ -30,6 +31,7 @@ rule Invoke_SMBExec { rule Invoke_WMIExec_Gen_1 { meta: description = "Detects Invoke-WmiExec or Invoke-SmbExec" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Kevin-Robertson/Invoke-TheHash" date = "2017-06-14" @@ -49,6 +51,7 @@ rule Invoke_WMIExec_Gen_1 { rule Invoke_SMBExec_Invoke_WMIExec_1 { meta: description = "Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Kevin-Robertson/Invoke-TheHash" date = "2017-06-14" @@ -66,6 +69,7 @@ rule Invoke_SMBExec_Invoke_WMIExec_1 { rule Invoke_WMIExec_Gen { meta: description = "Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Kevin-Robertson/Invoke-TheHash" date = "2017-06-14" diff --git a/yara/gen_javascript_powershell.yar b/yara/gen_javascript_powershell.yar index ea21d31..79b5001 100644 --- a/yara/gen_javascript_powershell.yar +++ b/yara/gen_javascript_powershell.yar @@ -2,6 +2,7 @@ rule Malware_JS_powershell_obfuscated { meta: description = "Unspecified malware - file rechnung_3.js" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-24" diff --git a/yara/gen_kerberoast.yar b/yara/gen_kerberoast.yar index 9f4d3fc..4376f7a 100644 --- a/yara/gen_kerberoast.yar +++ b/yara/gen_kerberoast.yar @@ -8,6 +8,7 @@ rule GetUserSPNs_VBS { meta: description = "Auto-generated rule - file GetUserSPNs.vbs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/skelsec/PyKerberoast" date = "2016-05-21" @@ -23,6 +24,7 @@ rule GetUserSPNs_VBS { rule GetUserSPNs_PS1 { meta: description = "Auto-generated rule - file GetUserSPNs.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/skelsec/PyKerberoast" date = "2016-05-21" @@ -39,6 +41,7 @@ rule GetUserSPNs_PS1 { rule kerberoast_PY { meta: description = "Auto-generated rule - file kerberoast.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/skelsec/PyKerberoast" date = "2016-05-21" diff --git a/yara/gen_loaders.yar b/yara/gen_loaders.yar index 0b5f594..b6c539f 100644 --- a/yara/gen_loaders.yar +++ b/yara/gen_loaders.yar @@ -42,6 +42,7 @@ rule ReflectiveLoader { rule Reflective_DLL_Loader_Aug17_1 { meta: description = "Detects Reflective DLL Loader" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-08-20" @@ -65,6 +66,7 @@ rule Reflective_DLL_Loader_Aug17_1 { rule DLL_Injector_Lynx { meta: description = "Detects Lynx DLL Injector" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-08-20" @@ -87,6 +89,7 @@ rule DLL_Injector_Lynx { rule Reflective_DLL_Loader_Aug17_2 { meta: description = "Detects Reflective DLL Loader - suspicious - Possible FP could be program crack" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-08-20" @@ -113,6 +116,7 @@ rule Reflective_DLL_Loader_Aug17_2 { rule Reflective_DLL_Loader_Aug17_3 { meta: description = "Detects Reflective DLL Loader" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-08-20" @@ -136,6 +140,7 @@ rule Reflective_DLL_Loader_Aug17_3 { rule Reflective_DLL_Loader_Aug17_4 { meta: description = "Detects Reflective DLL Loader" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-08-20" diff --git a/yara/gen_mal_link.yar b/yara/gen_mal_link.yar index f5544d5..d53c505 100644 --- a/yara/gen_mal_link.yar +++ b/yara/gen_mal_link.yar @@ -2,6 +2,7 @@ rule LNK_Malicious_Nov1 { meta: description = "Detects a malicious LNK file" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/" date = "2017-11-06" diff --git a/yara/gen_mal_scripts.yar b/yara/gen_mal_scripts.yar index 9f9e21d..a182fc6 100644 --- a/yara/gen_mal_scripts.yar +++ b/yara/gen_mal_scripts.yar @@ -4,6 +4,7 @@ rule PS_AMSI_Bypass { meta: description = "Detects PowerShell AMSI Bypass" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1" date = "2017-07-19" @@ -18,6 +19,7 @@ rule PS_AMSI_Bypass { rule JS_Suspicious_Obfuscation_Dropbox { meta: description = "Detects PowerShell AMSI Bypass" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/ItsReallyNick/status/887705105239343104" date = "2017-07-19" @@ -32,6 +34,7 @@ rule JS_Suspicious_Obfuscation_Dropbox { rule JS_Suspicious_MSHTA_Bypass { meta: description = "Detects MSHTA Bypass" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/ItsReallyNick/status/887705105239343104" date = "2017-07-19" @@ -47,6 +50,7 @@ rule JS_Suspicious_MSHTA_Bypass { rule JavaScript_Run_Suspicious { meta: description = "Detects a suspicious Javascript Run command" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/craiu/status/900314063560998912" score = 60 @@ -70,6 +74,7 @@ private rule MSI { rule Certutil_Decode_OR_Download { meta: description = "Certutil Decode" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" score = 40 @@ -88,6 +93,7 @@ rule Certutil_Decode_OR_Download { rule Suspicious_JS_script_content { meta: description = "Detects suspicious statements in JavaScript files" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Research on Leviathan https://goo.gl/MZ7dRg" date = "2017-12-02" @@ -105,6 +111,7 @@ rule Suspicious_JS_script_content { rule Universal_Exploit_Strings { meta: description = "Detects a group of strings often used in exploit codes" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2017-12-02" @@ -122,6 +129,7 @@ rule Universal_Exploit_Strings { rule VBS_Obfuscated_Mal_Feb18_1 { meta: description = "Detects malicious obfuscated VBS observed in February 2018" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/zPsn83" date = "2018-02-12" diff --git a/yara/gen_malware_set_qa.yar b/yara/gen_malware_set_qa.yar index 72137ea..6664350 100644 --- a/yara/gen_malware_set_qa.yar +++ b/yara/gen_malware_set_qa.yar @@ -13,6 +13,7 @@ rule Malware_QA_not_copy { meta: description = "VT Research QA uploaded malware - file not copy.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" @@ -37,6 +38,7 @@ rule Malware_QA_not_copy { rule Malware_QA_update { meta: description = "VT Research QA uploaded malware - file update.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" @@ -67,6 +69,7 @@ rule Malware_QA_update { rule Malware_QA_tls { meta: description = "VT Research QA uploaded malware - file tls.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" @@ -83,6 +86,7 @@ rule Malware_QA_tls { rule Malware_QA_get_The_FucKinG_IP { meta: description = "VT Research QA uploaded malware - file get The FucKinG IP.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" @@ -101,6 +105,7 @@ rule Malware_QA_get_The_FucKinG_IP { rule Malware_QA_vqgk { meta: description = "VT Research QA uploaded malware - file vqgk.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" @@ -128,6 +133,7 @@ rule Malware_QA_vqgk { rule Malware_QA_1177 { meta: description = "VT Research QA uploaded malware - file 1177.vbs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" diff --git a/yara/gen_metasploit_loader_rsmudge.yar b/yara/gen_metasploit_loader_rsmudge.yar index f556696..9c57637 100644 --- a/yara/gen_metasploit_loader_rsmudge.yar +++ b/yara/gen_metasploit_loader_rsmudge.yar @@ -10,6 +10,7 @@ rule Metasploit_Loader_RSMudge { meta: description = "Detects a Metasploit Loader by RSMudge - file loader.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/rsmudge/metasploit-loader" date = "2016-04-20" diff --git a/yara/gen_metasploit_payloads.yar b/yara/gen_metasploit_payloads.yar index 51fe256..600170b 100644 --- a/yara/gen_metasploit_payloads.yar +++ b/yara/gen_metasploit_payloads.yar @@ -10,6 +10,7 @@ rule Msfpayloads_msf { meta: description = "Metasploit Payloads - file msf.sh" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -23,6 +24,7 @@ rule Msfpayloads_msf { rule Msfpayloads_msf_2 { meta: description = "Metasploit Payloads - file msf.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -38,6 +40,7 @@ rule Msfpayloads_msf_2 { rule Msfpayloads_msf_psh { meta: description = "Metasploit Payloads - file msf-psh.vba" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -53,6 +56,7 @@ rule Msfpayloads_msf_psh { rule Msfpayloads_msf_exe { meta: description = "Metasploit Payloads - file msf-exe.vba" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -71,6 +75,7 @@ rule Msfpayloads_msf_exe { rule Msfpayloads_msf_3 { meta: description = "Metasploit Payloads - file msf.psh" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -94,6 +99,7 @@ rule Msfpayloads_msf_3 { rule Msfpayloads_msf_4 { meta: description = "Metasploit Payloads - file msf.aspx" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -111,6 +117,7 @@ rule Msfpayloads_msf_4 { rule Msfpayloads_msf_exe_2 { meta: description = "Metasploit Payloads - file msf-exe.aspx" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -127,6 +134,7 @@ rule Msfpayloads_msf_exe_2 { rule Msfpayloads_msf_5 { meta: description = "Metasploit Payloads - file msf.msi" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -142,6 +150,7 @@ rule Msfpayloads_msf_5 { rule Msfpayloads_msf_6 { meta: description = "Metasploit Payloads - file msf.vbs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -161,6 +170,7 @@ rule Msfpayloads_msf_6 { rule Msfpayloads_msf_7 { meta: description = "Metasploit Payloads - file msf.vba" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -176,6 +186,7 @@ rule Msfpayloads_msf_7 { rule Msfpayloads_msf_8 { meta: description = "Metasploit Payloads - file msf.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -195,6 +206,7 @@ rule Msfpayloads_msf_8 { rule Msfpayloads_msf_cmd { meta: description = "Metasploit Payloads - file msf-cmd.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -208,6 +220,7 @@ rule Msfpayloads_msf_cmd { rule Msfpayloads_msf_9 { meta: description = "Metasploit Payloads - file msf.war - contents" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -227,6 +240,7 @@ rule Msfpayloads_msf_9 { rule Msfpayloads_msf_10 { meta: description = "Metasploit Payloads - file msf.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -242,6 +256,7 @@ rule Msfpayloads_msf_10 { rule Msfpayloads_msf_svc { meta: description = "Metasploit Payloads - file msf-svc.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -256,6 +271,7 @@ rule Msfpayloads_msf_svc { rule Msfpayloads_msf_11 { meta: description = "Metasploit Payloads - file msf.hta" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -271,6 +287,7 @@ rule Msfpayloads_msf_11 { rule Msfpayloads_msf_ref { meta: description = "Metasploit Payloads - file msf-ref.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-02-09" @@ -290,6 +307,7 @@ rule Msfpayloads_msf_ref { rule MAL_Metasploit_Framework_UA { meta: description = "Detects User Agent used in Metasploit Framework" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7" date = "2018-08-16" diff --git a/yara/gen_mimikittenz.yar b/yara/gen_mimikittenz.yar index 2022423..3984842 100644 --- a/yara/gen_mimikittenz.yar +++ b/yara/gen_mimikittenz.yar @@ -10,6 +10,7 @@ rule Invoke_mimikittenz { meta: description = "Detects Mimikittenz - file Invoke-mimikittenz.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/putterpanda/mimikittenz" date = "2016-07-19" diff --git a/yara/gen_mimipenguin.yar b/yara/gen_mimipenguin.yar index d3eca7c..635cad9 100644 --- a/yara/gen_mimipenguin.yar +++ b/yara/gen_mimipenguin.yar @@ -8,6 +8,7 @@ rule Mimipenguin_SH { meta: description = "Detects Mimipenguin Password Extractor - Linux" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/huntergregal/mimipenguin" date = "2017-04-01" @@ -32,6 +33,7 @@ rule Mimipenguin_SH { rule mimipenguin_1 { meta: description = "Detects Mimipenguin hack tool" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/huntergregal/mimipenguin" date = "2017-07-08" @@ -48,6 +50,7 @@ rule mimipenguin_1 { rule mimipenguin_2 { meta: description = "Detects Mimipenguin hack tool" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/huntergregal/mimipenguin" date = "2017-07-08" diff --git a/yara/gen_nopowershell.yar b/yara/gen_nopowershell.yar index 6e5570f..fa983c7 100644 --- a/yara/gen_nopowershell.yar +++ b/yara/gen_nopowershell.yar @@ -8,6 +8,7 @@ rule No_PowerShell { meta: description = "Detects an C# executable used to circumvent PowerShell detection - file nps.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Ben0xA/nps" date = "2016-05-21" diff --git a/yara/gen_p0wnshell.yar b/yara/gen_p0wnshell.yar index 87e4d5a..631b819 100644 --- a/yara/gen_p0wnshell.yar +++ b/yara/gen_p0wnshell.yar @@ -10,6 +10,7 @@ rule p0wnedPowerCat { meta: description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Cn33liz/p0wnedShell" date = "2017-01-14" @@ -29,6 +30,7 @@ rule p0wnedPowerCat { rule Hacktool_Strings_p0wnedShell { meta: description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Cn33liz/p0wnedShell" date = "2017-01-14" @@ -50,6 +52,7 @@ rule Hacktool_Strings_p0wnedShell { rule p0wnedPotato { meta: description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Cn33liz/p0wnedShell" date = "2017-01-14" @@ -67,6 +70,7 @@ rule p0wnedPotato { rule p0wnedExploits { meta: description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Cn33liz/p0wnedShell" date = "2017-01-14" @@ -81,6 +85,7 @@ rule p0wnedExploits { rule p0wnedShellx64 { meta: description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShellx64.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Cn33liz/p0wnedShell" date = "2017-01-14" @@ -98,6 +103,7 @@ rule p0wnedShellx64 { rule p0wnedListenerConsole { meta: description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedListenerConsole.cs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Cn33liz/p0wnedShell" date = "2017-01-14" @@ -118,6 +124,7 @@ rule p0wnedListenerConsole { rule p0wnedBinaries { meta: description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Cn33liz/p0wnedShell" date = "2017-01-14" @@ -137,6 +144,7 @@ rule p0wnedBinaries { rule p0wnedAmsiBypass { meta: description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Cn33liz/p0wnedShell" date = "2017-01-14" @@ -152,6 +160,7 @@ rule p0wnedAmsiBypass { rule p0wnedShell_outputs { meta: description = "p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Cn33liz/p0wnedShell" date = "2017-01-14" diff --git a/yara/gen_pirpi.yar b/yara/gen_pirpi.yar index 6c94480..b03ed5d 100644 --- a/yara/gen_pirpi.yar +++ b/yara/gen_pirpi.yar @@ -10,6 +10,7 @@ rule Pirpi_1609_A { meta: description = "Detects Pirpi Backdoor - and other malware (generic rule)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/igxLyF" date = "2016-09-08" @@ -43,6 +44,7 @@ rule Pirpi_1609_A { rule Pirpi_1609_B { meta: description = "Detects Pirpi Backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/igxLyF" date = "2016-09-08" diff --git a/yara/gen_powerkatz.yar b/yara/gen_powerkatz.yar index 08a4cdb..ba324c9 100644 --- a/yara/gen_powerkatz.yar +++ b/yara/gen_powerkatz.yar @@ -9,6 +9,7 @@ rule Powerkatz_DLL_Generic { meta: description = "Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "PowerKatz Analysis" date = "2016-02-05" diff --git a/yara/gen_powershdll.yar b/yara/gen_powershdll.yar index 5ba1d3f..e4c85ab 100644 --- a/yara/gen_powershdll.yar +++ b/yara/gen_powershdll.yar @@ -9,6 +9,7 @@ rule PowerShdll { meta: description = "Detects hack tool PowerShdll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/p3nt4/PowerShdll" date = "2017-08-03" diff --git a/yara/gen_powershell_empire.yar b/yara/gen_powershell_empire.yar index b64618c..a7c95bf 100644 --- a/yara/gen_powershell_empire.yar +++ b/yara/gen_powershell_empire.yar @@ -9,6 +9,7 @@ rule Empire_Invoke_BypassUAC { meta: description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" @@ -26,6 +27,7 @@ rule Empire_Invoke_BypassUAC { rule Empire_lib_modules_trollsploit_message { meta: description = "Empire - a pure PowerShell post-exploitation agent - file message.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" @@ -43,6 +45,7 @@ rule Empire_lib_modules_trollsploit_message { rule Empire_Persistence { meta: description = "Empire - a pure PowerShell post-exploitation agent - file Persistence.psm1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" @@ -59,6 +62,7 @@ rule Empire_Persistence { rule Empire_portscan { meta: description = "Empire - a pure PowerShell post-exploitation agent - file portscan.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" @@ -74,6 +78,7 @@ rule Empire_portscan { rule Empire_Invoke_Shellcode { meta: description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" @@ -90,6 +95,7 @@ rule Empire_Invoke_Shellcode { rule Empire_Invoke_Mimikatz { meta: description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" @@ -106,6 +112,7 @@ rule Empire_Invoke_Mimikatz { rule Empire_lib_modules_credentials_mimikatz_pth { meta: description = "Empire - a pure PowerShell post-exploitation agent - file pth.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" @@ -121,6 +128,7 @@ rule Empire_lib_modules_credentials_mimikatz_pth { rule Empire_Write_HijackDll { meta: description = "Empire - a pure PowerShell post-exploitation agent - file Write-HijackDll.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" @@ -137,6 +145,7 @@ rule Empire_Write_HijackDll { rule Empire_skeleton_key { meta: description = "Empire - a pure PowerShell post-exploitation agent - file skeleton_key.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" @@ -154,6 +163,7 @@ rule Empire_skeleton_key { rule Empire_invoke_wmi { meta: description = "Empire - a pure PowerShell post-exploitation agent - file invoke_wmi.py" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" diff --git a/yara/gen_powershell_invocation.yar b/yara/gen_powershell_invocation.yar index 4c7c77f..9379208 100644 --- a/yara/gen_powershell_invocation.yar +++ b/yara/gen_powershell_invocation.yar @@ -2,6 +2,7 @@ rule PowerShell_Susp_Parameter_Combo { meta: description = "Detects PowerShell invocation with suspicious parameters" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/uAic1X" date = "2017-03-12" diff --git a/yara/gen_powershell_obfuscation.yar b/yara/gen_powershell_obfuscation.yar index 23e4dc8..68968c7 100644 --- a/yara/gen_powershell_obfuscation.yar +++ b/yara/gen_powershell_obfuscation.yar @@ -11,6 +11,7 @@ rule PowerShell_ISESteroids_Obfuscation { meta: description = "Detects PowerShell ISESteroids obfuscation" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/danielhbohannon/status/877953970437844993" date = "2017-06-23" diff --git a/yara/gen_powershell_suite.yar b/yara/gen_powershell_suite.yar index 2de30b5..99f4cde 100644 --- a/yara/gen_powershell_suite.yar +++ b/yara/gen_powershell_suite.yar @@ -2,6 +2,7 @@ rule PowerShell_Suite_Hacktools_Gen_Strings { meta: description = "Detects strings from scripts in the PowerShell-Suite repo" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/FuzzySecurity/PowerShell-Suite" date = "2017-12-27" @@ -46,6 +47,7 @@ rule PowerShell_Suite_Hacktools_Gen_Strings { rule PowerShell_Suite_Eidolon { meta: description = "Detects PowerShell Suite Eidolon script - file Start-Eidolon.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/FuzzySecurity/PowerShell-Suite" date = "2017-12-27" diff --git a/yara/gen_powershell_susp.yar b/yara/gen_powershell_susp.yar index 02f22cb..8e97384 100644 --- a/yara/gen_powershell_susp.yar +++ b/yara/gen_powershell_susp.yar @@ -10,6 +10,7 @@ rule WordDoc_PowerShell_URLDownloadToFile { meta: description = "Detects Word Document with PowerShell URLDownloadToFile" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.arbornetworks.com/blog/asert/additional-insights-shamoon2/" date = "2017-02-23" @@ -30,6 +31,7 @@ rule WordDoc_PowerShell_URLDownloadToFile { rule Suspicious_PowerShell_Code_1 { meta: description = "Detects suspicious PowerShell code" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 60 reference = "Internal Research" @@ -49,6 +51,7 @@ rule Suspicious_PowerShell_Code_1 { rule Suspicious_PowerShell_WebDownload_1 { meta: description = "Detects suspicious PowerShell code that downloads from web sites" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 60 reference = "Internal Research" @@ -76,6 +79,7 @@ rule Suspicious_PowerShell_WebDownload_1 { rule PowerShell_in_Word_Doc { meta: description = "Detects a powershell and bypass keyword in a Word document" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - ME" date = "2017-06-27" @@ -101,6 +105,7 @@ rule PowerShell_in_Word_Doc { rule Susp_PowerShell_Sep17_1 { meta: description = "Detects suspicious PowerShell script in combo with VBS or JS " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-09-30" @@ -118,6 +123,7 @@ rule Susp_PowerShell_Sep17_1 { rule Susp_PowerShell_Sep17_2 { meta: description = "Detects suspicious PowerShell script in combo with VBS or JS " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-09-30" @@ -138,6 +144,7 @@ rule Susp_PowerShell_Sep17_2 { rule WScript_Shell_PowerShell_Combo { meta: description = "Detects malware from Middle Eastern campaign reported by Talos" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html" date = "2018-02-07" @@ -159,6 +166,7 @@ rule WScript_Shell_PowerShell_Combo { rule SUSP_PowerShell_String_K32_RemProcess { meta: description = "Detects suspicious PowerShell code that uses Kernel32, RemoteProccess handles or shellcode" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nccgroup/redsnarf" date = "2018-03-31" @@ -179,6 +187,7 @@ rule SUSP_PowerShell_String_K32_RemProcess { rule PowerShell_JAB_B64 { meta: description = "Detects base464 encoded $ sign at the beginning of a string" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/ItsReallyNick/status/980915287922040832" date = "2018-04-02" diff --git a/yara/gen_powershell_toolkit.yar b/yara/gen_powershell_toolkit.yar index 17bd143..371a318 100644 --- a/yara/gen_powershell_toolkit.yar +++ b/yara/gen_powershell_toolkit.yar @@ -10,6 +10,7 @@ rule ps1_toolkit_PowerUp { meta: description = "Auto-generated rule - file PowerUp.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/vysec/ps1-toolkit" date = "2016-09-04" @@ -31,6 +32,7 @@ rule ps1_toolkit_PowerUp { rule ps1_toolkit_Inveigh_BruteForce { meta: description = "Auto-generated rule - file Inveigh-BruteForce.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/vysec/ps1-toolkit" date = "2016-09-04" @@ -47,6 +49,7 @@ rule ps1_toolkit_Inveigh_BruteForce { rule ps1_toolkit_Invoke_Shellcode { meta: description = "Auto-generated rule - file Invoke-Shellcode.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/vysec/ps1-toolkit" date = "2016-09-04" @@ -65,6 +68,7 @@ rule ps1_toolkit_Invoke_Shellcode { rule ps1_toolkit_Invoke_Mimikatz { meta: description = "Auto-generated rule - file Invoke-Mimikatz.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/vysec/ps1-toolkit" date = "2016-09-04" @@ -84,6 +88,7 @@ rule ps1_toolkit_Invoke_Mimikatz { rule ps1_toolkit_Invoke_RelfectivePEInjection { meta: description = "Auto-generated rule - file Invoke-RelfectivePEInjection.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/vysec/ps1-toolkit" date = "2016-09-04" @@ -103,6 +108,7 @@ rule ps1_toolkit_Invoke_RelfectivePEInjection { rule ps1_toolkit_Persistence { meta: description = "Auto-generated rule - file Persistence.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/vysec/ps1-toolkit" date = "2016-09-04" @@ -124,6 +130,7 @@ rule ps1_toolkit_Persistence { rule ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection { meta: description = "Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/vysec/ps1-toolkit" date = "2016-09-04" @@ -150,6 +157,7 @@ rule ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection { rule ps1_toolkit_Inveigh_BruteForce_2 { meta: description = "Auto-generated rule - from files Inveigh-BruteForce.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/vysec/ps1-toolkit" date = "2016-09-04" @@ -167,6 +175,7 @@ rule ps1_toolkit_Inveigh_BruteForce_2 { rule ps1_toolkit_PowerUp_2 { meta: description = "Auto-generated rule - from files PowerUp.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/vysec/ps1-toolkit" date = "2016-09-04" @@ -186,6 +195,7 @@ rule ps1_toolkit_PowerUp_2 { rule ps1_toolkit_Persistence_2 { meta: description = "Auto-generated rule - from files Persistence.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/vysec/ps1-toolkit" date = "2016-09-04" @@ -208,6 +218,7 @@ rule ps1_toolkit_Persistence_2 { rule ps1_toolkit_Inveigh_BruteForce_3 { meta: description = "Auto-generated rule - from files Inveigh-BruteForce.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/vysec/ps1-toolkit" date = "2016-09-04" diff --git a/yara/gen_ps_empire_eval.yar b/yara/gen_ps_empire_eval.yar index a137fd7..ab69ffa 100644 --- a/yara/gen_ps_empire_eval.yar +++ b/yara/gen_ps_empire_eval.yar @@ -11,6 +11,7 @@ rule PowerShell_Emp_Eval_Jul17_A1 { meta: description = "Detects suspicious sample with PowerShell content " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "PowerShell Empire Eval" date = "2017-07-27" @@ -25,6 +26,7 @@ rule PowerShell_Emp_Eval_Jul17_A1 { rule PowerShell_Emp_Eval_Jul17_A2 { meta: description = "Detects suspicious sample with PowerShell content " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "PowerShell Empire Eval" date = "2017-07-27" diff --git a/yara/gen_ps_osiris.yar b/yara/gen_ps_osiris.yar index 79ffcfe..d538e2e 100644 --- a/yara/gen_ps_osiris.yar +++ b/yara/gen_ps_osiris.yar @@ -10,6 +10,7 @@ rule Invoke_OSiRis { meta: description = "Osiris Device Guard Bypass - file Invoke-OSiRis.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-27" diff --git a/yara/gen_pua.yar b/yara/gen_pua.yar index 1d33f00..ecbbf45 100644 --- a/yara/gen_pua.yar +++ b/yara/gen_pua.yar @@ -1,6 +1,7 @@ rule WinDivert_Driver { meta: description = "Detects WinDivert User-Mode packet capturing driver" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.reqrypt.org/windivert.html" date = "2017-10-02" diff --git a/yara/gen_pupy_rat.yar b/yara/gen_pupy_rat.yar index e0defab..050b72f 100644 --- a/yara/gen_pupy_rat.yar +++ b/yara/gen_pupy_rat.yar @@ -13,6 +13,7 @@ import "pe" rule Pupy_Backdoor { meta: description = "Detects Pupy backdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/n1nj4sec/pupy-binaries" date = "2017-08-11" diff --git a/yara/gen_recon_keywords.yar b/yara/gen_recon_keywords.yar index b953349..341bc5d 100644 --- a/yara/gen_recon_keywords.yar +++ b/yara/gen_recon_keywords.yar @@ -12,6 +12,7 @@ rule Recon_Commands_Windows_Gen1 { meta: description = "Detects a set of reconnaissance commands on Windows systems" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-07-10" diff --git a/yara/gen_redsails.yar b/yara/gen_redsails.yar index 73b2b0e..9d53eca 100644 --- a/yara/gen_redsails.yar +++ b/yara/gen_redsails.yar @@ -11,6 +11,7 @@ rule redSails_EXE { meta: description = "Detects Red Sails Hacktool by WinDivert references" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/BeetleChunks/redsails" date = "2017-10-02" @@ -25,6 +26,7 @@ rule redSails_EXE { rule redSails_PY { meta: description = "Detects Red Sails Hacktool - Python" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/BeetleChunks/redsails" date = "2017-10-02" diff --git a/yara/gen_rottenpotato.yar b/yara/gen_rottenpotato.yar index c75fc78..b33616a 100644 --- a/yara/gen_rottenpotato.yar +++ b/yara/gen_rottenpotato.yar @@ -10,6 +10,7 @@ rule RottenPotato_Potato { meta: description = "Detects a component of privilege escalation tool Rotten Potato - file Potato.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/foxglovesec/RottenPotato" date = "2017-02-07" diff --git a/yara/gen_sharpcat.yar b/yara/gen_sharpcat.yar index edcca69..fc5b339 100644 --- a/yara/gen_sharpcat.yar +++ b/yara/gen_sharpcat.yar @@ -8,6 +8,7 @@ rule SharpCat { meta: description = "Detects command shell SharpCat - file SharpCat.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/Cn33liz/SharpCat" date = "2016-06-10" diff --git a/yara/gen_susp_strings_in_ole.yar b/yara/gen_susp_strings_in_ole.yar index 18a5ed4..138f383 100644 --- a/yara/gen_susp_strings_in_ole.yar +++ b/yara/gen_susp_strings_in_ole.yar @@ -2,6 +2,7 @@ rule MAL_RTF_Embedded_OLE_PE { meta: description = "Detects a suspicious string often used in PE files in a hex encoded object stream" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/" date = "2018-01-22" diff --git a/yara/gen_suspicious_strings.yar b/yara/gen_suspicious_strings.yar index 684ccd6..c18589a 100644 --- a/yara/gen_suspicious_strings.yar +++ b/yara/gen_suspicious_strings.yar @@ -2,6 +2,7 @@ rule Ping_Command_in_EXE { meta: description = "Detects an suspicious ping command execution in an executable" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-11-03" @@ -15,6 +16,7 @@ rule Ping_Command_in_EXE { rule GoogleBot_UserAgent { meta: description = "Detects the GoogleBot UserAgent String in an Executable" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-01-27" @@ -30,6 +32,7 @@ rule GoogleBot_UserAgent { rule Gen_Net_LocalGroup_Administrators_Add_Command { meta: description = "Detects an executable that contains a command to add a user account to the local administrators group" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-07-08" @@ -42,6 +45,7 @@ rule Gen_Net_LocalGroup_Administrators_Add_Command { rule Suspicious_Script_Running_from_HTTP { meta: description = "Detects a suspicious " + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100" score = 50 @@ -58,6 +62,7 @@ rule Suspicious_Script_Running_from_HTTP { rule ReconCommands_in_File { meta: description = "Detects various recon commands in a single file" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/haroonmeer/status/939099379834658817" date = "2017-12-11" @@ -78,6 +83,7 @@ rule ReconCommands_in_File { rule VBS_dropper_script_Dec17_1 { meta: description = "Detects a supicious VBS script that drops an executable" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-01-01" @@ -97,6 +103,7 @@ rule VBS_dropper_script_Dec17_1 { rule SUSP_PDB_Strings_Keylogger_Backdoor { meta: description = "Detects PDB strings used in backdoors or keyloggers" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-03-23" @@ -118,6 +125,7 @@ rule SUSP_PDB_Strings_Keylogger_Backdoor { rule SUSP_Microsoft_Copyright_String_Anomaly_2 { meta: description = "Detects Floxif Malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-05-11" @@ -132,6 +140,7 @@ rule SUSP_Microsoft_Copyright_String_Anomaly_2 { rule SUSP_LNK_File_AppData_Roaming { meta: description = "Detects a suspicious link file that references to AppData Roaming" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html" date = "2018-05-16" @@ -152,6 +161,7 @@ rule SUSP_LNK_File_AppData_Roaming { rule SUSP_LNK_File_PathTraversal { meta: description = "Detects a suspicious link file that references a file multiple folders lower than the link itself" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html" date = "2018-05-16" diff --git a/yara/gen_sysinternals_anomaly.yar b/yara/gen_sysinternals_anomaly.yar index 5701079..19cf5f4 100644 --- a/yara/gen_sysinternals_anomaly.yar +++ b/yara/gen_sysinternals_anomaly.yar @@ -10,6 +10,7 @@ rule SysInternals_Tool_Anomaly { meta: description = "SysInternals Tool Anomaly - does not contain Mark Russinovich as author" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-12-06" diff --git a/yara/gen_tempracer.yar b/yara/gen_tempracer.yar index 70fc061..6469168 100644 --- a/yara/gen_tempracer.yar +++ b/yara/gen_tempracer.yar @@ -10,6 +10,7 @@ rule TempRacer { meta: description = "Detects privilege escalation tool - file TempRacer.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/" date = "2016-03-30" diff --git a/yara/gen_transformed_strings.yar b/yara/gen_transformed_strings.yar index 9673330..443b667 100644 --- a/yara/gen_transformed_strings.yar +++ b/yara/gen_transformed_strings.yar @@ -10,6 +10,7 @@ rule Typical_Malware_String_Transforms { meta: description = "Detects typical strings in a reversed or otherwise modified form" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2016-07-31" diff --git a/yara/gen_tscookie_rat.yar b/yara/gen_tscookie_rat.yar index 8213a1f..cf6bf6e 100644 --- a/yara/gen_tscookie_rat.yar +++ b/yara/gen_tscookie_rat.yar @@ -13,6 +13,7 @@ import "pe" rule TSCookie_RAT { meta: description = "Detects TSCookie RAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html" date = "2018-03-06" diff --git a/yara/gen_unspecified_malware.yar b/yara/gen_unspecified_malware.yar index 8aa9e43..17a5a3e 100644 --- a/yara/gen_unspecified_malware.yar +++ b/yara/gen_unspecified_malware.yar @@ -3,6 +3,7 @@ rule Unspecified_Malware_Jul17_2C { meta: description = "Unspecified Malware - CN relation" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/CX3KaY" date = "2017-07-18" diff --git a/yara/gen_url_to_local_exe.yar b/yara/gen_url_to_local_exe.yar index 13d2fb6..8b8ba75 100644 --- a/yara/gen_url_to_local_exe.yar +++ b/yara/gen_url_to_local_exe.yar @@ -1,6 +1,7 @@ rule URL_File_Local_EXE { meta: description = "Detects an .url file that points to a local executable" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/malwareforme/status/915300883012870144" date = "2017-10-04" diff --git a/yara/gen_win_privesc.yar b/yara/gen_win_privesc.yar index d3be8e6..912b15d 100644 --- a/yara/gen_win_privesc.yar +++ b/yara/gen_win_privesc.yar @@ -10,6 +10,7 @@ rule Win_PrivEsc_gp3finder_v4_0 { meta: description = "Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/" date = "2016-06-02" @@ -26,6 +27,7 @@ rule Win_PrivEsc_gp3finder_v4_0 { rule Win_PrivEsc_folderperm { meta: description = "Detects a tool that can be used for privilege escalation - file folderperm.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.greyhathacker.net/?p=738" date = "2016-06-02" @@ -42,6 +44,7 @@ rule Win_PrivEsc_folderperm { rule Win_PrivEsc_ADACLScan4_3 { meta: description = "Detects a tool that can be used for privilege escalation - file ADACLScan4.3.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://adaclscan.codeplex.com/" score = 60 diff --git a/yara/gen_winpayloads.yar b/yara/gen_winpayloads.yar index 2d47d62..0366899 100644 --- a/yara/gen_winpayloads.yar +++ b/yara/gen_winpayloads.yar @@ -12,6 +12,7 @@ rule WinPayloads_PowerShell { meta: description = "Detects WinPayloads PowerShell Payload" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nccgroup/Winpayloads" date = "2017-07-11" @@ -28,6 +29,7 @@ rule WinPayloads_PowerShell { rule WinPayloads_Payload { meta: description = "Detects WinPayloads Payload" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nccgroup/Winpayloads" date = "2017-07-11" diff --git a/yara/gen_winshells.yar b/yara/gen_winshells.yar index 5a8e92d..27354e2 100644 --- a/yara/gen_winshells.yar +++ b/yara/gen_winshells.yar @@ -10,6 +10,7 @@ rule WindowsShell_s3 { meta: description = "Detects simple Windows shell - file s3.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/odzhan/shells/" date = "2016-03-26" @@ -31,6 +32,7 @@ rule WindowsShell_s3 { rule WindosShell_s1 { meta: description = "Detects simple Windows shell - file s1.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/odzhan/shells/" date = "2016-03-26" @@ -51,6 +53,7 @@ rule WindosShell_s1 { rule WindowsShell_s4 { meta: description = "Detects simple Windows shell - file s4.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/odzhan/shells/" date = "2016-03-26" @@ -73,6 +76,7 @@ rule WindowsShell_s4 { rule WindowsShell_Gen { meta: description = "Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/odzhan/shells/" date = "2016-03-26" @@ -93,6 +97,7 @@ rule WindowsShell_Gen { rule WindowsShell_Gen2 { meta: description = "Detects simple Windows shell - from files s3.exe, s4.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/odzhan/shells/" date = "2016-03-26" diff --git a/yara/gen_wmi_implant.yar b/yara/gen_wmi_implant.yar index ee795d4..0d2bfa3 100644 --- a/yara/gen_wmi_implant.yar +++ b/yara/gen_wmi_implant.yar @@ -10,6 +10,7 @@ rule WMImplant { meta: description = "Auto-generated rule - file WMImplant.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" date = "2017-03-24" diff --git a/yara/gen_xtreme_rat.yar b/yara/gen_xtreme_rat.yar index 76d59a7..70ce797 100644 --- a/yara/gen_xtreme_rat.yar +++ b/yara/gen_xtreme_rat.yar @@ -14,6 +14,7 @@ import "pe" rule Xtreme_Sep17_1 { meta: description = "Detects XTREME sample analyzed in September 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-09-27" @@ -37,6 +38,7 @@ rule Xtreme_Sep17_1 { rule Xtreme_Sep17_2 { meta: description = "Detects XTREME sample analyzed in September 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-09-27" @@ -51,6 +53,7 @@ rule Xtreme_Sep17_2 { rule Xtreme_Sep17_3 { meta: description = "Detects XTREME sample analyzed in September 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-09-27" @@ -65,6 +68,7 @@ rule Xtreme_Sep17_3 { rule Xtreme_RAT_Gen_Imp { meta: description = "Detects XTREME sample analyzed in September 2017" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-09-27" diff --git a/yara/gen_ysoserial_payloads.yar b/yara/gen_ysoserial_payloads.yar index 334e4c8..07d945b 100644 --- a/yara/gen_ysoserial_payloads.yar +++ b/yara/gen_ysoserial_payloads.yar @@ -10,6 +10,7 @@ rule Ysoserial_Payload_MozillaRhino1 { meta: description = "Ysoserial Payloads - file MozillaRhino1.bin" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/frohoff/ysoserial" date = "2017-02-04" @@ -23,6 +24,7 @@ rule Ysoserial_Payload_MozillaRhino1 { rule Ysoserial_Payload_C3P0 { meta: description = "Ysoserial Payloads - file C3P0.bin" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/frohoff/ysoserial" date = "2017-02-04" @@ -36,6 +38,7 @@ rule Ysoserial_Payload_C3P0 { rule Ysoserial_Payload_Spring1 { meta: description = "Ysoserial Payloads - file Spring1.bin" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/frohoff/ysoserial" date = "2017-02-04" @@ -55,6 +58,7 @@ rule Ysoserial_Payload_Spring1 { rule Ysoserial_Payload { meta: description = "Ysoserial Payloads" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/frohoff/ysoserial" date = "2017-02-04" @@ -84,6 +88,7 @@ rule Ysoserial_Payload { rule Ysoserial_Payload_3 { meta: description = "Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/frohoff/ysoserial" date = "2017-02-04" diff --git a/yara/general_cloaking.yar b/yara/general_cloaking.yar index e0102d5..41f82d0 100644 --- a/yara/general_cloaking.yar +++ b/yara/general_cloaking.yar @@ -13,6 +13,7 @@ rule EXE_cloaked_as_TXT { meta: description = "Executable with TXT extension" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" condition: uint16(0) == 0x5a4d // Executable @@ -22,6 +23,7 @@ rule EXE_cloaked_as_TXT { rule EXE_extension_cloaking { meta: description = "Executable showing different extension (Windows default 'hide known extension')" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" condition: filename matches /\.txt\.exe$/is or // Special file extensions @@ -31,6 +33,7 @@ rule EXE_extension_cloaking { rule Cloaked_RAR_File { meta: description = "RAR file cloaked by a different extension" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" condition: uint32be(0) == 0x52617221 // RAR File Magic Header @@ -41,6 +44,7 @@ rule Cloaked_RAR_File { rule Base64_encoded_Executable { meta: description = "Detects an base64 encoded executable (often embedded)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-05-28" score = 40 @@ -57,6 +61,7 @@ rule Base64_encoded_Executable { rule Gen_Base64_EXE { meta: description = "Detects Base64 encoded Executable in Executable" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-04-21" @@ -76,6 +81,7 @@ rule Gen_Base64_EXE { rule Binary_Drop_Certutil { meta: description = "Drop binary as base64 encoded cert trick" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/9DNn8q" date = "2015-07-15" @@ -91,6 +97,7 @@ rule Binary_Drop_Certutil { rule StegoKatz { meta: description = "Encoded Mimikatz in other file types" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/jWPBBY" date = "2015-09-11" @@ -105,6 +112,7 @@ rule StegoKatz { rule Obfuscated_VBS_April17 { meta: description = "Detects cloaked Mimikatz in VBS obfuscation" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-04-21" @@ -117,6 +125,7 @@ rule Obfuscated_VBS_April17 { rule Obfuscated_JS_April17 { meta: description = "Detects cloaked Mimikatz in JS obfuscation" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-04-21" diff --git a/yara/general_officemacros.yar b/yara/general_officemacros.yar index 9b02901..ec9c729 100644 --- a/yara/general_officemacros.yar +++ b/yara/general_officemacros.yar @@ -2,6 +2,7 @@ rule Office_AutoOpen_Macro { meta: description = "Detects an Microsoft Office file that contains the AutoOpen Macro function" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-05-28" score = 40 @@ -26,6 +27,7 @@ rule Office_AutoOpen_Macro { rule Office_as_MHTML { meta: description = "Detects an Microsoft Office saved as a MHTML file (false positives are possible but rare; many matches on CVE-2012-0158)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-05-28" score = 40 @@ -48,6 +50,7 @@ rule Office_as_MHTML { rule Docm_in_PDF { meta: description = "Detects an embedded DOCM in PDF combined with OpenAction" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-05-15" diff --git a/yara/generic_anomalies.yar b/yara/generic_anomalies.yar index a91c757..4a34844 100644 --- a/yara/generic_anomalies.yar +++ b/yara/generic_anomalies.yar @@ -12,7 +12,8 @@ rule Embedded_EXE_Cloaking { meta: description = "Detects an embedded executable in a non-executable file" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" date = "2015/02/27" score = 65 strings: @@ -64,7 +65,8 @@ rule Cloaked_as_JPG { rule Suspicious_Size_explorer_exe { meta: description = "Detects uncommon file size of explorer.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-21" condition: @@ -77,7 +79,8 @@ rule Suspicious_Size_explorer_exe { rule Suspicious_Size_chrome_exe { meta: description = "Detects uncommon file size of chrome.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-21" condition: @@ -89,7 +92,8 @@ rule Suspicious_Size_chrome_exe { rule Suspicious_Size_csrss_exe { meta: description = "Detects uncommon file size of csrss.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-21" condition: @@ -101,7 +105,8 @@ rule Suspicious_Size_csrss_exe { rule Suspicious_Size_iexplore_exe { meta: description = "Detects uncommon file size of iexplore.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-21" condition: @@ -114,7 +119,8 @@ rule Suspicious_Size_iexplore_exe { rule Suspicious_Size_firefox_exe { meta: description = "Detects uncommon file size of firefox.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-21" condition: @@ -126,7 +132,8 @@ rule Suspicious_Size_firefox_exe { rule Suspicious_Size_java_exe { meta: description = "Detects uncommon file size of java.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-21" condition: @@ -138,7 +145,8 @@ rule Suspicious_Size_java_exe { rule Suspicious_Size_lsass_exe { meta: description = "Detects uncommon file size of lsass.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-21" condition: @@ -150,7 +158,8 @@ rule Suspicious_Size_lsass_exe { rule Suspicious_Size_svchost_exe { meta: description = "Detects uncommon file size of svchost.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-21" condition: @@ -162,7 +171,8 @@ rule Suspicious_Size_svchost_exe { rule Suspicious_Size_winlogon_exe { meta: description = "Detects uncommon file size of winlogon.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-21" condition: @@ -174,7 +184,8 @@ rule Suspicious_Size_winlogon_exe { rule Suspicious_Size_igfxhk_exe { meta: description = "Detects uncommon file size of igfxhk.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-21" condition: @@ -186,7 +197,8 @@ rule Suspicious_Size_igfxhk_exe { rule Suspicious_Size_servicehost_dll { meta: description = "Detects uncommon file size of servicehost.dll" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-23" condition: @@ -198,7 +210,8 @@ rule Suspicious_Size_servicehost_dll { rule Suspicious_Size_rundll32_exe { meta: description = "Detects uncommon file size of rundll32.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-23" condition: @@ -210,7 +223,8 @@ rule Suspicious_Size_rundll32_exe { rule Suspicious_Size_taskhost_exe { meta: description = "Detects uncommon file size of taskhost.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-23" condition: @@ -222,7 +236,8 @@ rule Suspicious_Size_taskhost_exe { rule Suspicious_Size_spoolsv_exe { meta: description = "Detects uncommon file size of spoolsv.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-23" condition: @@ -234,7 +249,8 @@ rule Suspicious_Size_spoolsv_exe { rule Suspicious_Size_smss_exe { meta: description = "Detects uncommon file size of smss.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-23" condition: @@ -246,7 +262,8 @@ rule Suspicious_Size_smss_exe { rule Suspicious_Size_wininit_exe { meta: description = "Detects uncommon file size of wininit.exe" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 60 date = "2015-12-23" condition: @@ -258,6 +275,7 @@ rule Suspicious_Size_wininit_exe { rule Suspicious_AutoIt_by_Microsoft { meta: description = "Detects a AutoIt script with Microsoft identification" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - VT" date = "2017-12-14" diff --git a/yara/generic_cryptors.yar b/yara/generic_cryptors.yar index 4064cc5..7f27d57 100644 --- a/yara/generic_cryptors.yar +++ b/yara/generic_cryptors.yar @@ -2,6 +2,7 @@ rule DarkEYEv3_Cryptor { meta: description = "Rule to detect DarkEYEv3 encrypted executables (often malware)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://darkeyev3.blogspot.fi/" date = "2015-05-24" diff --git a/yara/generic_dumps.yar b/yara/generic_dumps.yar index 24c3680..44be102 100644 --- a/yara/generic_dumps.yar +++ b/yara/generic_dumps.yar @@ -2,6 +2,7 @@ rule LSASS_memory_dump_file { meta: description = "Detects a LSASS memory dump file" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015/03/31" memory = 0 @@ -16,6 +17,7 @@ rule LSASS_memory_dump_file { rule NTLM_Dump_Output { meta: description = "NTML Hash Dump output file - John/LC format" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-10-01" score = 75 @@ -29,6 +31,7 @@ rule NTLM_Dump_Output { rule Gsecdump_password_dump_file { meta: description = "Detects a gsecdump output file" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://t.co/OLIj1yVJ4m" date = "2018-03-06" diff --git a/yara/generic_exe2hex_payload.yar b/yara/generic_exe2hex_payload.yar index 8319680..dc700da 100644 --- a/yara/generic_exe2hex_payload.yar +++ b/yara/generic_exe2hex_payload.yar @@ -8,6 +8,7 @@ rule Payload_Exe2Hex { meta: description = "Detects payload generated by exe2hex" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/g0tmi1k/exe2hex" date = "2016-01-15" diff --git a/yara/pua_cryptocoin_miner.yar b/yara/pua_cryptocoin_miner.yar index cf1f534..2c1c4c0 100644 --- a/yara/pua_cryptocoin_miner.yar +++ b/yara/pua_cryptocoin_miner.yar @@ -2,6 +2,7 @@ rule CoinMiner_Strings { meta: description = "Detects mining pool protocol string in Executable" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 50 reference = "https://minergate.com/faq/what-pool-address" @@ -16,6 +17,7 @@ rule CoinMiner_Strings { rule CoinHive_Javascript_MoneroMiner { meta: description = "Detects CoinHive - JavaScript Crypto Miner" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 50 reference = "https://coinhive.com/documentation/miner" diff --git a/yara/pua_xmrig_monero_miner.yar b/yara/pua_xmrig_monero_miner.yar index 46c2b5b..a21f64e 100644 --- a/yara/pua_xmrig_monero_miner.yar +++ b/yara/pua_xmrig_monero_miner.yar @@ -11,6 +11,7 @@ rule XMRIG_Monero_Miner { meta: description = "Detects Monero mining software" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/xmrig/xmrig/releases" date = "2018-01-04" @@ -30,6 +31,7 @@ rule XMRIG_Monero_Miner { rule XMRIG_Monero_Miner_Config { meta: description = "Auto-generated rule - from files config.json, config.json" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/xmrig/xmrig/releases" date = "2018-01-04" @@ -46,6 +48,7 @@ rule XMRIG_Monero_Miner_Config { rule PUA_LNX_XMRIG_CryptoMiner { meta: description = "Detects XMRIG CryptoMiner software" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-06-28" diff --git a/yara/pup_lightftp.yar b/yara/pup_lightftp.yar index 7a316fb..a087152 100644 --- a/yara/pup_lightftp.yar +++ b/yara/pup_lightftp.yar @@ -2,6 +2,7 @@ rule LightFTP_fftp_x86_64 { meta: description = "Detects a light FTP server" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/hfiref0x/LightFTP" date = "2015-05-14" @@ -21,6 +22,7 @@ rule LightFTP_fftp_x86_64 { rule LightFTP_Config { meta: description = "Detects a light FTP server - config file" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/hfiref0x/LightFTP" date = "2015-05-14" diff --git a/yara/spy_equation_fiveeyes.yar b/yara/spy_equation_fiveeyes.yar index 1d9eb1e..3492e82 100644 --- a/yara/spy_equation_fiveeyes.yar +++ b/yara/spy_equation_fiveeyes.yar @@ -70,6 +70,7 @@ rule apt_equation_cryptotable { rule Equation_Kaspersky_TripleFantasy_1 { meta: description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" @@ -104,6 +105,7 @@ rule Equation_Kaspersky_TripleFantasy_1 { rule Equation_Kaspersky_DoubleFantasy_1 { meta: description = "Equation Group Malware - DoubleFantasy" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" @@ -136,6 +138,7 @@ rule Equation_Kaspersky_DoubleFantasy_1 { rule Equation_Kaspersky_GROK_Keylogger { meta: description = "Equation Group Malware - GROK keylogger" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" @@ -169,6 +172,7 @@ rule Equation_Kaspersky_GROK_Keylogger { rule Equation_Kaspersky_GreyFishInstaller { meta: description = "Equation Group Malware - Grey Fish" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" @@ -184,6 +188,7 @@ rule Equation_Kaspersky_GreyFishInstaller { rule Equation_Kaspersky_EquationDrugInstaller { meta: description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" @@ -208,6 +213,7 @@ rule Equation_Kaspersky_EquationDrugInstaller { rule Equation_Kaspersky_EquationLaserInstaller { meta: description = "Equation Group Malware - EquationLaser Installer" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" @@ -230,6 +236,7 @@ rule Equation_Kaspersky_EquationLaserInstaller { rule Equation_Kaspersky_FannyWorm { meta: description = "Equation Group Malware - Fanny Worm" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" @@ -269,6 +276,7 @@ rule Equation_Kaspersky_FannyWorm { rule Equation_Kaspersky_HDD_reprogramming_module { meta: description = "Equation Group Malware - HDD reprogramming module" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" @@ -288,6 +296,7 @@ rule Equation_Kaspersky_HDD_reprogramming_module { rule Equation_Kaspersky_EOP_Package { meta: description = "Equation Group Malware - EoP package and malware launcher" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" @@ -308,6 +317,7 @@ rule Equation_Kaspersky_EOP_Package { rule Equation_Kaspersky_TripleFantasy_Loader { meta: description = "Equation Group Malware - TripleFantasy Loader" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" @@ -334,6 +344,7 @@ rule Equation_Kaspersky_TripleFantasy_Loader { rule Equation_Kaspersky_SuspiciousString { meta: description = "Equation Group Malware - suspicious string found in sample" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/17" diff --git a/yara/spy_querty_fiveeyes.yar b/yara/spy_querty_fiveeyes.yar index 5e7775f..3f5df05 100644 --- a/yara/spy_querty_fiveeyes.yar +++ b/yara/spy_querty_fiveeyes.yar @@ -3,6 +3,7 @@ rule FiveEyes_QUERTY_Malwareqwerty_20121 { meta: description = "FiveEyes QUERTY Malware - file 20121.xml" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" @@ -26,6 +27,7 @@ rule FiveEyes_QUERTY_Malwareqwerty_20121 { rule FiveEyes_QUERTY_Malwaresig_20123_sys { meta: description = "FiveEyes QUERTY Malware - file 20123.sys.bin" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" @@ -43,6 +45,7 @@ rule FiveEyes_QUERTY_Malwaresig_20123_sys { rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef { meta: description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" @@ -76,6 +79,7 @@ rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef { rule FiveEyes_QUERTY_Malwaresig_20121_dll { meta: description = "FiveEyes QUERTY Malware - file 20121.dll.bin" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" @@ -89,6 +93,7 @@ rule FiveEyes_QUERTY_Malwaresig_20121_dll { rule FiveEyes_QUERTY_Malwareqwerty_20123 { meta: description = "FiveEyes QUERTY Malware - file 20123.xml" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" @@ -113,6 +118,7 @@ rule FiveEyes_QUERTY_Malwareqwerty_20123 { rule FiveEyes_QUERTY_Malwaresig_20120_dll { meta: description = "FiveEyes QUERTY Malware - file 20120.dll.bin" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" @@ -146,6 +152,7 @@ rule FiveEyes_QUERTY_Malwaresig_20120_dll { rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef { meta: description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" @@ -179,6 +186,7 @@ rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef { rule FiveEyes_QUERTY_Malwareqwerty_20120 { meta: description = "FiveEyes QUERTY Malware - file 20120.xml" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" @@ -202,6 +210,7 @@ rule FiveEyes_QUERTY_Malwareqwerty_20120 { rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef { meta: description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" diff --git a/yara/spy_regin_fiveeyes.yar b/yara/spy_regin_fiveeyes.yar index b6a5163..1033602 100644 --- a/yara/spy_regin_fiveeyes.yar +++ b/yara/spy_regin_fiveeyes.yar @@ -332,6 +332,7 @@ rule apt_regin_hopscotch { rule Regin_Related_Malware { meta: description = "Malware Sample - maybe Regin related" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 reference = "VT Analysis" diff --git a/yara/thor-hacktools.yar b/yara/thor-hacktools.yar index 41c1a22..b318e63 100644 --- a/yara/thor-hacktools.yar +++ b/yara/thor-hacktools.yar @@ -120,6 +120,7 @@ rule HackTool_Samples { rule Fierce2 { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "This signature detects the Fierce2 domain scanner" date = "07/2014" @@ -133,6 +134,7 @@ rule Fierce2 rule Ncrack { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "This signature detects the Ncrack brute force tool" date = "07/2014" @@ -146,6 +148,7 @@ rule Ncrack rule SQLMap { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "This signature detects the SQLMap SQL injection tool" date = "07/2014" @@ -441,6 +444,7 @@ rule crack_Loader { rule CN_GUI_Scanner { meta: description = "Detects an unknown GUI scanner tool - CN background" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "3c67bbb1911cdaef5e675c56145e1112" score = 65 @@ -458,6 +462,7 @@ rule CN_GUI_Scanner { rule CN_Packed_Scanner { meta: description = "Suspiciously packed executable" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "6323b51c116a77e3fba98f7bb7ff4ac6" score = 40 @@ -474,6 +479,7 @@ rule CN_Packed_Scanner { rule Tiny_Network_Tool_Generic { meta: description = "Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "08.10.2014" score = 40 @@ -510,6 +516,7 @@ rule Tiny_Network_Tool_Generic { rule Beastdoor_Backdoor { meta: description = "Detects the backdoor Beastdoor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 55 hash = "5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a" @@ -530,6 +537,7 @@ rule Beastdoor_Backdoor { rule Powershell_Netcat { meta: description = "Detects a Powershell version of the Netcat network hacking tool" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 60 date = "10.10.2014" @@ -544,6 +552,7 @@ rule Powershell_Netcat { rule Chinese_Hacktool_1014 { meta: description = "Detects a chinese hacktool with unknown use" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 60 date = "10.10.2014" @@ -561,6 +570,7 @@ rule Chinese_Hacktool_1014 { rule CN_Hacktool_BAT_PortsOpen { meta: description = "Detects a chinese BAT hacktool for local port evaluation" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 60 date = "12.10.2014" @@ -575,6 +585,7 @@ rule CN_Hacktool_BAT_PortsOpen { rule CN_Hacktool_SSPort_Portscanner { meta: description = "Detects a chinese Portscanner named SSPort" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 date = "12.10.2014" @@ -589,6 +600,7 @@ rule CN_Hacktool_SSPort_Portscanner { rule CN_Hacktool_ScanPort_Portscanner { meta: description = "Detects a chinese Portscanner named ScanPort" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 date = "12.10.2014" @@ -603,6 +615,7 @@ rule CN_Hacktool_ScanPort_Portscanner { rule CN_Hacktool_S_EXE_Portscanner { meta: description = "Detects a chinese Portscanner named s.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 date = "12.10.2014" @@ -617,6 +630,7 @@ rule CN_Hacktool_S_EXE_Portscanner { rule CN_Hacktool_MilkT_BAT { meta: description = "Detects a chinese Portscanner named MilkT - shipped BAT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 date = "12.10.2014" @@ -630,6 +644,7 @@ rule CN_Hacktool_MilkT_BAT { rule CN_Hacktool_MilkT_Scanner { meta: description = "Detects a chinese Portscanner named MilkT" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 60 date = "12.10.2014" @@ -648,6 +663,7 @@ rule CN_Hacktool_MilkT_Scanner { rule CN_Hacktool_1433_Scanner { meta: description = "Detects a chinese MSSQL scanner" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 40 date = "12.10.2014" @@ -666,6 +682,7 @@ rule CN_Hacktool_1433_Scanner { rule CN_Hacktool_1433_Scanner_Comp2 { meta: description = "Detects a chinese MSSQL scanner - component 2" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 40 date = "12.10.2014" @@ -681,6 +698,7 @@ rule CN_Hacktool_1433_Scanner_Comp2 { rule WCE_Modified_1_1014 { meta: description = "Modified (packed) version of Windows Credential Editor" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "09a412ac3c85cedce2642a19e99d8f903a2e0354" score = 70 @@ -695,6 +713,7 @@ rule WCE_Modified_1_1014 { rule ReactOS_cmd_valid { meta: description = "ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "05.11.14" reference = "http://www.elifulkerson.com/articles/suzy-sells-cmd-shells.php" @@ -712,6 +731,7 @@ rule ReactOS_cmd_valid { rule iKAT_wmi_rundll { meta: description = "This exe will attempt to use WMI to Call the Win32_Process event to spawn rundll - file wmi_rundll.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "05.11.14" score = 65 @@ -733,6 +753,7 @@ rule iKAT_wmi_rundll { rule iKAT_revelations { meta: description = "iKAT hack tool showing the content of password fields - file revelations.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "05.11.14" score = 75 @@ -750,6 +771,7 @@ rule iKAT_revelations { rule iKAT_priv_esc_tasksch { meta: description = "Task Schedulder Local Exploit - Windows local priv-esc using Task Scheduler, published by webDevil. Supports Windows 7 and Vista." + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "05.11.14" score = 75 @@ -776,6 +798,7 @@ rule iKAT_priv_esc_tasksch { rule iKAT_command_lines_agent { meta: description = "iKAT hack tools set agent - file ikat.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "05.11.14" score = 75 @@ -797,6 +820,7 @@ rule iKAT_command_lines_agent { rule iKAT_cmd_as_dll { meta: description = "iKAT toolset file cmd.dll ReactOS file cloaked" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "05.11.14" score = 65 @@ -815,6 +839,7 @@ rule iKAT_cmd_as_dll { rule iKAT_tools_nmap { meta: description = "Generic rule for NMAP - based on NMAP 4 standalone" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "05.11.14" score = 50 @@ -832,6 +857,7 @@ rule iKAT_tools_nmap { rule iKAT_startbar { meta: description = "Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "05.11.14" score = 50 @@ -852,6 +878,7 @@ rule iKAT_startbar { rule iKAT_Tool_Generic { meta: description = "Generic Rule for hack tool iKAT files gpdisable.exe, kitrap0d.exe, uacpoc.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "05.11.14" score = 55 @@ -975,6 +1002,7 @@ rule APT_Proxy_Malware_Packed_dev rule Tzddos_DDoS_Tool_CN { meta: description = "Disclosed hacktool set - file tzddos" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -994,6 +1022,7 @@ rule Tzddos_DDoS_Tool_CN { rule Ncat_Hacktools_CN { meta: description = "Disclosed hacktool set - file nc.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1012,6 +1041,7 @@ rule Ncat_Hacktools_CN { rule MS08_067_Exploit_Hacktools_CN { meta: description = "Disclosed hacktool set - file cs.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1031,6 +1061,7 @@ rule MS08_067_Exploit_Hacktools_CN { rule Hacktools_CN_Burst_sql { meta: description = "Disclosed hacktool set - file sql.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1052,6 +1083,7 @@ rule Hacktools_CN_Burst_sql { rule Hacktools_CN_Panda_445TOOL { meta: description = "Disclosed hacktool set - file 445TOOL.rar" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1068,6 +1100,7 @@ rule Hacktools_CN_Panda_445TOOL { rule Hacktools_CN_Panda_445 { meta: description = "Disclosed hacktool set - file 445.rar" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1088,6 +1121,7 @@ rule Hacktools_CN_Panda_445 { rule Hacktools_CN_WinEggDrop { meta: description = "Disclosed hacktool set - file s.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1111,6 +1145,7 @@ rule Hacktools_CN_WinEggDrop { rule Hacktools_CN_Scan_BAT { meta: description = "Disclosed hacktool set - file scan.bat" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1129,6 +1164,7 @@ rule Hacktools_CN_Scan_BAT { rule Hacktools_CN_Panda_Burst { meta: description = "Disclosed hacktool set - file Burst.rar" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1142,6 +1178,7 @@ rule Hacktools_CN_Panda_Burst { rule Hacktools_CN_445_cmd { meta: description = "Disclosed hacktool set - file cmd.bat" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1157,6 +1194,7 @@ rule Hacktools_CN_445_cmd { rule Hacktools_CN_GOGOGO_Bat { meta: description = "Disclosed hacktool set - file GOGOGO.bat" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1182,6 +1220,7 @@ rule Hacktools_CN_GOGOGO_Bat { rule Hacktools_CN_Burst_pass { meta: description = "Disclosed hacktool set - file pass.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1205,6 +1244,7 @@ rule Hacktools_CN_Burst_pass { rule Hacktools_CN_JoHor_Posts_Killer { meta: description = "Disclosed hacktool set - file JoHor_Posts_Killer.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1226,6 +1266,7 @@ rule Hacktools_CN_JoHor_Posts_Killer { rule Hacktools_CN_Panda_tesksd { meta: description = "Disclosed hacktool set - file tesksd.jpg" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1241,6 +1282,7 @@ rule Hacktools_CN_Panda_tesksd { rule Hacktools_CN_Http { meta: description = "Disclosed hacktool set - file Http.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1257,6 +1299,7 @@ rule Hacktools_CN_Http { rule Hacktools_CN_Burst_Start { meta: description = "Disclosed hacktool set - file Start.bat - DoS tool" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1278,6 +1321,7 @@ rule Hacktools_CN_Burst_Start { rule Hacktools_CN_Panda_tasksvr { meta: description = "Disclosed hacktool set - file tasksvr.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1292,6 +1336,7 @@ rule Hacktools_CN_Panda_tasksvr { rule Hacktools_CN_Burst_Clear { meta: description = "Disclosed hacktool set - file Clear.bat" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1313,6 +1358,7 @@ rule Hacktools_CN_Burst_Clear { rule Hacktools_CN_Burst_Thecard { meta: description = "Disclosed hacktool set - file Thecard.bat" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1330,6 +1376,7 @@ rule Hacktools_CN_Burst_Thecard { rule Hacktools_CN_Burst_Blast { meta: description = "Disclosed hacktool set - file Blast.bat" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "17.11.14" score = 60 @@ -1344,6 +1391,7 @@ rule Hacktools_CN_Burst_Blast { rule VUBrute_VUBrute { meta: description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "22.11.14" score = 70 @@ -1360,6 +1408,7 @@ rule VUBrute_VUBrute { rule DK_Brute { meta: description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "22.11.14" score = 70 @@ -1377,6 +1426,7 @@ rule DK_Brute { rule VUBrute_config { meta: description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "22.11.14" score = 70 @@ -1397,6 +1447,7 @@ rule VUBrute_config { rule sig_238_hunt { meta: description = "Disclosed hacktool set (old stuff) - file hunt.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1416,6 +1467,7 @@ rule sig_238_hunt { rule sig_238_listip { meta: description = "Disclosed hacktool set (old stuff) - file listip.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1434,6 +1486,7 @@ rule sig_238_listip { rule ArtTrayHookDll { meta: description = "Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1448,6 +1501,7 @@ rule ArtTrayHookDll { rule sig_238_eee { meta: description = "Disclosed hacktool set (old stuff) - file eee.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1467,6 +1521,7 @@ rule sig_238_eee { rule aspbackdoor_asp4 { meta: description = "Disclosed hacktool set (old stuff) - file asp4.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1487,6 +1542,7 @@ rule aspbackdoor_asp4 { rule aspfile1 { meta: description = "Disclosed hacktool set (old stuff) - file aspfile1.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1505,6 +1561,7 @@ rule aspfile1 { rule EditServer { meta: description = "Disclosed hacktool set (old stuff) - file EditServer.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1527,6 +1584,7 @@ rule EditServer { rule sig_238_letmein { meta: description = "Disclosed hacktool set (old stuff) - file letmein.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1543,6 +1601,7 @@ rule sig_238_letmein { rule sig_238_token { meta: description = "Disclosed hacktool set (old stuff) - file token.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1560,6 +1619,7 @@ rule sig_238_token { rule sig_238_TELNET { meta: description = "Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows ME" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1576,6 +1636,7 @@ rule sig_238_TELNET { rule snifferport { meta: description = "Disclosed hacktool set (old stuff) - file snifferport.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1593,6 +1654,7 @@ rule snifferport { rule sig_238_webget { meta: description = "Disclosed hacktool set (old stuff) - file webget.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1609,6 +1671,7 @@ rule sig_238_webget { rule XYZCmd_zip_Folder_XYZCmd { meta: description = "Disclosed hacktool set (old stuff) - file XYZCmd.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1625,6 +1688,7 @@ rule XYZCmd_zip_Folder_XYZCmd { rule ASPack_Chinese { meta: description = "Disclosed hacktool set (old stuff) - file ASPack Chinese.ini" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1642,6 +1706,7 @@ rule ASPack_Chinese { rule aspbackdoor_EDIR { meta: description = "Disclosed hacktool set (old stuff) - file EDIR.ASP" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1659,6 +1724,7 @@ rule aspbackdoor_EDIR { rule ByPassFireWall_zip_Folder_Ie { meta: description = "Disclosed hacktool set (old stuff) - file Ie.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1675,6 +1741,7 @@ rule ByPassFireWall_zip_Folder_Ie { rule EditKeyLogReadMe { meta: description = "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1693,6 +1760,7 @@ rule EditKeyLogReadMe { rule PassSniffer_zip_Folder_readme { meta: description = "Disclosed hacktool set (old stuff) - file readme.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1708,6 +1776,7 @@ rule PassSniffer_zip_Folder_readme { rule sig_238_gina { meta: description = "Disclosed hacktool set (old stuff) - file gina.reg" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1723,6 +1792,7 @@ rule sig_238_gina { rule splitjoin { meta: description = "Disclosed hacktool set (old stuff) - file splitjoin.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1739,6 +1809,7 @@ rule splitjoin { rule EditKeyLog { meta: description = "Disclosed hacktool set (old stuff) - file EditKeyLog.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1755,6 +1826,7 @@ rule EditKeyLog { rule PassSniffer { meta: description = "Disclosed hacktool set (old stuff) - file PassSniffer.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1773,6 +1845,7 @@ rule PassSniffer { rule aspfile2 { meta: description = "Disclosed hacktool set (old stuff) - file aspfile2.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1789,6 +1862,7 @@ rule aspfile2 { rule UnPack_rar_Folder_InjectT { meta: description = "Disclosed hacktool set (old stuff) - file InjectT.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1812,6 +1886,7 @@ rule UnPack_rar_Folder_InjectT { rule Jc_WinEggDrop_Shell { meta: description = "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1831,6 +1906,7 @@ rule Jc_WinEggDrop_Shell { rule aspbackdoor_asp1 { meta: description = "Disclosed hacktool set (old stuff) - file asp1.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1849,6 +1925,7 @@ rule aspbackdoor_asp1 { rule QQ_zip_Folder_QQ { meta: description = "Disclosed hacktool set (old stuff) - file QQ.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1869,6 +1946,7 @@ rule QQ_zip_Folder_QQ { rule UnPack_rar_Folder_TBack { meta: description = "Disclosed hacktool set (old stuff) - file TBack.DLL" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1897,6 +1975,7 @@ rule UnPack_rar_Folder_TBack { rule sig_238_cmd_2 { meta: description = "Disclosed hacktool set (old stuff) - file cmd.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1914,6 +1993,7 @@ rule sig_238_cmd_2 { rule RangeScan { meta: description = "Disclosed hacktool set (old stuff) - file RangeScan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1931,6 +2011,7 @@ rule RangeScan { rule XYZCmd_zip_Folder_Readme { meta: description = "Disclosed hacktool set (old stuff) - file Readme.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1945,6 +2026,7 @@ rule XYZCmd_zip_Folder_Readme { rule ByPassFireWall_zip_Folder_Inject { meta: description = "Disclosed hacktool set (old stuff) - file Inject.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1960,6 +2042,7 @@ rule ByPassFireWall_zip_Folder_Inject { rule sig_238_sqlcmd { meta: description = "Disclosed hacktool set (old stuff) - file sqlcmd.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 40 @@ -1979,6 +2062,7 @@ rule sig_238_sqlcmd { rule ASPack_ASPACK { meta: description = "Disclosed hacktool set (old stuff) - file ASPACK.EXE" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -1994,6 +2078,7 @@ rule ASPack_ASPACK { rule sig_238_2323 { meta: description = "Disclosed hacktool set (old stuff) - file 2323.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2012,6 +2097,7 @@ rule sig_238_2323 { rule Jc_ALL_WinEggDropShell_rar_Folder_Install_2 { meta: description = "Disclosed hacktool set (old stuff) - file Install.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2030,6 +2116,7 @@ rule Jc_ALL_WinEggDropShell_rar_Folder_Install_2 { rule sig_238_TFTPD32 { meta: description = "Disclosed hacktool set (old stuff) - file TFTPD32.EXE" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2051,6 +2138,7 @@ rule sig_238_TFTPD32 { rule sig_238_iecv { meta: description = "Disclosed hacktool set (old stuff) - file iecv.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2068,6 +2156,7 @@ rule sig_238_iecv { rule Antiy_Ports_1_21 { meta: description = "Disclosed hacktool set (old stuff) - file Antiy Ports 1.21.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2083,6 +2172,7 @@ rule Antiy_Ports_1_21 { rule perlcmd_zip_Folder_cmd { meta: description = "Disclosed hacktool set (old stuff) - file cmd.cgi" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2103,6 +2193,7 @@ rule perlcmd_zip_Folder_cmd { rule aspbackdoor_asp3 { meta: description = "Disclosed hacktool set (old stuff) - file asp3.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2123,6 +2214,7 @@ rule aspbackdoor_asp3 { rule sig_238_FPipe { meta: description = "Disclosed hacktool set (old stuff) - file FPipe.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2141,6 +2233,7 @@ rule sig_238_FPipe { rule sig_238_concon { meta: description = "Disclosed hacktool set (old stuff) - file concon.com" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2154,6 +2247,7 @@ rule sig_238_concon { rule aspbackdoor_regdll { meta: description = "Disclosed hacktool set (old stuff) - file regdll.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2170,6 +2264,7 @@ rule aspbackdoor_regdll { rule CleanIISLog { meta: description = "Disclosed hacktool set (old stuff) - file CleanIISLog.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2191,6 +2286,7 @@ rule CleanIISLog { rule sqlcheck { meta: description = "Disclosed hacktool set (old stuff) - file sqlcheck.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2208,6 +2304,7 @@ rule sqlcheck { rule sig_238_RunAsEx { meta: description = "Disclosed hacktool set (old stuff) - file RunAsEx.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2226,6 +2323,7 @@ rule sig_238_RunAsEx { rule sig_238_nbtdump { meta: description = "Disclosed hacktool set (old stuff) - file nbtdump.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2245,6 +2343,7 @@ rule sig_238_nbtdump { rule sig_238_Glass2k { meta: description = "Disclosed hacktool set (old stuff) - file Glass2k.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2262,6 +2361,7 @@ rule sig_238_Glass2k { rule SplitJoin_V1_3_3_rar_Folder_3 { meta: description = "Disclosed hacktool set (old stuff) - file splitjoin.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2277,6 +2377,7 @@ rule SplitJoin_V1_3_3_rar_Folder_3 { rule aspbackdoor_EDIT { meta: description = "Disclosed hacktool set (old stuff) - file EDIT.ASP" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2296,6 +2397,7 @@ rule aspbackdoor_EDIT { rule aspbackdoor_entice { meta: description = "Disclosed hacktool set (old stuff) - file entice.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2313,6 +2415,7 @@ rule aspbackdoor_entice { rule FPipe2_0 { meta: description = "Disclosed hacktool set (old stuff) - file FPipe2.0.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2331,6 +2434,7 @@ rule FPipe2_0 { rule InstGina { meta: description = "Disclosed hacktool set (old stuff) - file InstGina.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2346,6 +2450,7 @@ rule InstGina { rule ArtTray_zip_Folder_ArtTray { meta: description = "Disclosed hacktool set (old stuff) - file ArtTray.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2362,6 +2467,7 @@ rule ArtTray_zip_Folder_ArtTray { rule sig_238_findoor { meta: description = "Disclosed hacktool set (old stuff) - file findoor.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2379,6 +2485,7 @@ rule sig_238_findoor { rule aspbackdoor_ipclear { meta: description = "Disclosed hacktool set (old stuff) - file ipclear.vbs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2396,6 +2503,7 @@ rule aspbackdoor_ipclear { rule WinEggDropShellFinal_zip_Folder_InjectT { meta: description = "Disclosed hacktool set (old stuff) - file InjectT.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2413,6 +2521,7 @@ rule WinEggDropShellFinal_zip_Folder_InjectT { rule gina_zip_Folder_gina { meta: description = "Disclosed hacktool set (old stuff) - file gina.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2433,6 +2542,7 @@ rule gina_zip_Folder_gina { rule superscan3_0 { meta: description = "Disclosed hacktool set (old stuff) - file superscan3.0.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2454,6 +2564,7 @@ rule superscan3_0 { rule sig_238_xsniff { meta: description = "Disclosed hacktool set (old stuff) - file xsniff.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2475,6 +2586,7 @@ rule sig_238_xsniff { rule sig_238_fscan { meta: description = "Disclosed hacktool set (old stuff) - file fscan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2496,6 +2608,7 @@ rule sig_238_fscan { rule _iissample_nesscan_twwwscan { meta: description = "Disclosed hacktool set (old stuff) - from files iissample.exe, nesscan.exe, twwwscan.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2522,6 +2635,7 @@ rule _iissample_nesscan_twwwscan { rule _FsHttp_FsPop_FsSniffer { meta: description = "Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "23.11.14" score = 60 @@ -2548,6 +2662,7 @@ rule _FsHttp_FsPop_FsSniffer { rule Ammyy_Admin_AA_v3 { meta: description = "Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/gkAg2E" date = "2014/12/22" @@ -2574,6 +2689,7 @@ rule Ammyy_Admin_AA_v3 { rule LinuxHacktool_eyes_scanssh { meta: description = "Linux hack tools - file scanssh" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/01/19" @@ -2599,6 +2715,7 @@ rule LinuxHacktool_eyes_scanssh { rule LinuxHacktool_eyes_pscan2 { meta: description = "Linux hack tools - file pscan2" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/01/19" @@ -2617,6 +2734,7 @@ rule LinuxHacktool_eyes_pscan2 { rule LinuxHacktool_eyes_a { meta: description = "Linux hack tools - file a" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/01/19" @@ -2635,6 +2753,7 @@ rule LinuxHacktool_eyes_a { rule LinuxHacktool_eyes_mass { meta: description = "Linux hack tools - file mass" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/01/19" @@ -2652,6 +2771,7 @@ rule LinuxHacktool_eyes_mass { rule LinuxHacktool_eyes_pscan2_2 { meta: description = "Linux hack tools - file pscan2.c" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/01/19" @@ -2670,7 +2790,8 @@ rule CN_Portscan : APT { meta: description = "CN Port Scanner" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" release_date = "2013-11-29" confidential = false score = 70 @@ -2684,7 +2805,8 @@ rule WMI_vbs : APT { meta: description = "WMI Tool - APT" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" release_date = "2013-11-29" confidential = false score = 70 @@ -2697,6 +2819,7 @@ rule WMI_vbs : APT rule CN_Toolset__XScanLib_XScanLib_XScanLib { meta: description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://qiannao.com/ls/905300366/33834c0c/" date = "2015/03/30" @@ -2718,6 +2841,7 @@ rule CN_Toolset__XScanLib_XScanLib_XScanLib { rule CN_Toolset_NTscan_PipeCmd { meta: description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://qiannao.com/ls/905300366/33834c0c/" date = "2015/03/30" @@ -2742,6 +2866,7 @@ rule CN_Toolset_NTscan_PipeCmd { rule CN_Toolset_LScanPortss_2 { meta: description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://qiannao.com/ls/905300366/33834c0c/" date = "2015/03/30" @@ -2762,6 +2887,7 @@ rule CN_Toolset_LScanPortss_2 { rule CN_Toolset_sig_1433_135_sqlr { meta: description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://qiannao.com/ls/905300366/33834c0c/" date = "2015/03/30" @@ -2779,6 +2905,7 @@ rule CN_Toolset_sig_1433_135_sqlr { rule DarkComet_Keylogger_File { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Looks like a keylogger file created by DarkComet Malware" date = "25.07.14" @@ -2794,6 +2921,7 @@ rule DarkComet_Keylogger_File rule Mimikatz_Memory_Rule_1 : APT { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "12/22/2014" score = 70 @@ -2914,6 +3042,7 @@ rule Mimikatz_Logfile { meta: description = "Detects a log file generated by malicious hack tool mimikatz" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 80 date = "2015/03/31" @@ -2929,6 +3058,7 @@ rule Mimikatz_Logfile rule Mimikatz_Strings { meta: description = "Detects Mimikatz strings" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2016-06-08" @@ -2962,6 +3092,7 @@ rule Mimikatz_Strings { rule AppInitHook { meta: description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/Z292v6" date = "2015-07-15" @@ -2982,6 +3113,7 @@ rule AppInitHook { rule VSSown_VBS { meta: description = "Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-10-01" score = 75 @@ -2999,6 +3131,7 @@ rule VSSown_VBS { rule Netview_Hacktool { meta: description = "Network domain enumeration tool - often used by attackers - file Nv.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/mubix/netview" date = "2016-03-07" @@ -3022,6 +3155,7 @@ rule Netview_Hacktool { rule Netview_Hacktool_Output { meta: description = "Network domain enumeration tool output - often used by attackers - file filename.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/mubix/netview" date = "2016-03-07" @@ -3046,6 +3180,7 @@ rule Netview_Hacktool_Output { rule PSAttack_EXE { meta: description = "PSAttack - Powershell attack tool - file PSAttack.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/gdssecurity/PSAttack/releases/" date = "2016-03-09" @@ -3065,6 +3200,7 @@ rule PSAttack_EXE { rule Powershell_Attack_Scripts { meta: description = "Powershell Attack Scripts" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2016-03-09" score = 70 @@ -3080,6 +3216,7 @@ rule Powershell_Attack_Scripts { rule PSAttack_ZIP { meta: description = "PSAttack - Powershell attack tool - file PSAttack.zip" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/gdssecurity/PSAttack/releases/" date = "2016-03-09" @@ -3103,6 +3240,7 @@ rule PSAttack_ZIP { rule Linux_Portscan_Shark_1 { meta: description = "Detects Linux Port Scanner Shark" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35" date = "2016-04-01" @@ -3120,6 +3258,7 @@ rule Linux_Portscan_Shark_1 { rule Linux_Portscan_Shark_2 { meta: description = "Detects Linux Port Scanner Shark" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35" date = "2016-04-01" @@ -3144,6 +3283,7 @@ rule Linux_Portscan_Shark_2 { rule dnscat2_Hacktool { meta: description = "Detects dnscat2 - from files dnscat, dnscat2.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://downloads.skullsecurity.org/dnscat2/" date = "2016-05-15" @@ -3163,6 +3303,7 @@ rule dnscat2_Hacktool { rule WCE_in_memory { meta: description = "Detects Windows Credential Editor (WCE) in memory (and also on disk)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" score = 80 @@ -3177,6 +3318,7 @@ rule WCE_in_memory { rule pstgdump { meta: description = "Detects a tool used by APT groups - file pstgdump.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/igxLyF" date = "2016-09-08" @@ -3195,6 +3337,7 @@ rule pstgdump { rule lsremora { meta: description = "Detects a tool used by APT groups" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/igxLyF" date = "2016-09-08" @@ -3217,6 +3360,7 @@ rule lsremora { rule servpw { meta: description = "Detects a tool used by APT groups - file servpw.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/igxLyF" date = "2016-09-08" @@ -3236,6 +3380,7 @@ rule servpw { rule fgexec { meta: description = "Detects a tool used by APT groups - file fgexec.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/igxLyF" date = "2016-09-08" @@ -3252,6 +3397,7 @@ rule fgexec { rule cachedump { meta: description = "Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/igxLyF" date = "2016-09-08" @@ -3272,6 +3418,7 @@ rule cachedump { rule PwDump_B { meta: description = "Detects a tool used by APT groups - file PwDump.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/igxLyF" date = "2016-09-08" @@ -3301,6 +3448,7 @@ rule PwDump_B { rule MSBuild_Mimikatz_Execution_via_XML { meta: description = "Detects an XML that executes Mimikatz on an endpoint via MSBuild" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml" date = "2016-10-07" @@ -3329,6 +3477,7 @@ rule MSBuild_Mimikatz_Execution_via_XML { rule Fscan_Portscanner { meta: description = "Fscan port scanner scan output / strings" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://twitter.com/JamesHabben/status/817112447970480128" date = "2017-01-06" @@ -3353,6 +3502,7 @@ rule Fscan_Portscanner { rule WPR_loader_EXE { meta: description = "Windows Password Recovery - file loader.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-15" @@ -3373,6 +3523,7 @@ rule WPR_loader_EXE { rule WPR_loader_DLL { meta: description = "Windows Password Recovery - file loader64.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-15" @@ -3406,6 +3557,7 @@ rule WPR_loader_DLL { rule WPR_Passscape_Loader { meta: description = "Windows Password Recovery - file ast.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-15" @@ -3424,6 +3576,7 @@ rule WPR_Passscape_Loader { rule WPR_Asterisk_Hook_Library { meta: description = "Windows Password Recovery - file ast64.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-15" @@ -3446,6 +3599,7 @@ rule WPR_Asterisk_Hook_Library { rule WPR_WindowsPasswordRecovery_EXE { meta: description = "Windows Password Recovery - file wpr.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-15" @@ -3475,6 +3629,7 @@ rule WPR_WindowsPasswordRecovery_EXE { rule WPR_WindowsPasswordRecovery_EXE_64 { meta: description = "Windows Password Recovery - file ast64.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-03-15" @@ -3502,6 +3657,7 @@ rule WPR_WindowsPasswordRecovery_EXE_64 { rule BeyondExec_RemoteAccess_Tool { meta: description = "Detects BeyondExec Remote Access Tool - file rexesvr.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/BvYurS" date = "2017-03-17" @@ -3520,6 +3676,7 @@ rule BeyondExec_RemoteAccess_Tool { rule Mimikatz_Gen_Strings { meta: description = "Detects Mimikatz by using some special strings" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-06-19" @@ -3552,6 +3709,7 @@ rule Mimikatz_Gen_Strings { rule Disclosed_0day_POCs_lpe { meta: description = "Detects POC code from disclosed 0day hacktool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed 0day Repos" date = "2017-07-07" @@ -3573,6 +3731,7 @@ rule Disclosed_0day_POCs_lpe { rule Disclosed_0day_POCs_exploit { meta: description = "Detects POC code from disclosed 0day hacktool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed 0day Repos" date = "2017-07-07" @@ -3587,6 +3746,7 @@ rule Disclosed_0day_POCs_exploit { rule Disclosed_0day_POCs_InjectDll { meta: description = "Detects POC code from disclosed 0day hacktool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed 0day Repos" date = "2017-07-07" @@ -3604,6 +3764,7 @@ rule Disclosed_0day_POCs_InjectDll { rule Disclosed_0day_POCs_payload_MSI { meta: description = "Detects POC code from disclosed 0day hacktool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed 0day Repos" date = "2017-07-07" @@ -3619,6 +3780,7 @@ rule Disclosed_0day_POCs_payload_MSI { rule Disclosed_0day_POCs_injector { meta: description = "Detects POC code from disclosed 0day hacktool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed 0day Repos" date = "2017-07-07" @@ -3639,6 +3801,7 @@ rule Disclosed_0day_POCs_injector { rule Disclosed_0day_POCs_lpe_2 { meta: description = "Detects POC code from disclosed 0day hacktool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed 0day Repos" date = "2017-07-07" @@ -3654,6 +3817,7 @@ rule Disclosed_0day_POCs_lpe_2 { rule Disclosed_0day_POCs_shellcodegenerator { meta: description = "Detects POC code from disclosed 0day hacktool set" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Disclosed 0day Repos" date = "2017-07-07" @@ -3667,6 +3831,7 @@ rule Disclosed_0day_POCs_shellcodegenerator { rule SecurityXploded_Producer_String { meta: description = "Detects hacktools by SecurityXploded" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://securityxploded.com/browser-password-dump.php" date = "2017-07-13" @@ -3691,6 +3856,7 @@ rule SecurityXploded_Producer_String { rule Kekeo_Hacktool { meta: description = "Detects Kekeo Hacktool" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/gentilkiwi/kekeo/releases" date = "2017-07-21" @@ -3717,6 +3883,7 @@ rule Kekeo_Hacktool { rule AllTheThings { meta: description = "Detects AllTheThings" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/subTee/AllTheThings" date = "2017-07-27" @@ -3735,6 +3902,7 @@ rule AllTheThings { rule Impacket_Keyword { meta: description = "Detects Impacket Keyword in Executable" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-08-04" @@ -3763,6 +3931,7 @@ import "pe" rule PasswordsPro { meta: description = "Auto-generated rule - file PasswordsPro.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "PasswordPro" date = "2017-08-27" @@ -3781,6 +3950,7 @@ rule PasswordsPro { rule PasswordPro_NTLM_DLL { meta: description = "Auto-generated rule - file NTLM.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "PasswordPro" date = "2017-08-27" @@ -3809,6 +3979,7 @@ rule PasswordPro_NTLM_DLL { rule KeeThief_PS { meta: description = "Detects component of KeeTheft - KeePass dump tool - file KeeThief.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/HarmJ0y/KeeThief" date = "2017-08-29" @@ -3826,6 +3997,7 @@ rule KeeThief_PS { rule KeeTheft_EXE { meta: description = "Detects component of KeeTheft - KeePass dump tool - file KeeTheft.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/HarmJ0y/KeeThief" date = "2017-08-29" @@ -3845,6 +4017,7 @@ rule KeeTheft_EXE { rule KeeTheft_Out_Shellcode { meta: description = "Detects component of KeeTheft - KeePass dump tool - file Out-Shellcode.ps1" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/HarmJ0y/KeeThief" date = "2017-08-29" @@ -3867,6 +4040,7 @@ rule KeeTheft_Out_Shellcode { rule Sharpire { meta: description = "Auto-generated rule - file Sharpire.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/0xbadjuju/Sharpire" date = "2017-09-23" @@ -3897,6 +4071,7 @@ rule Sharpire { rule Invoke_Metasploit { meta: description = "Detects Invoke-Metasploit Payload" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/jaredhaight/Invoke-MetasploitPayload/blob/master/Invoke-MetasploitPayload.ps1" date = "2017-09-23" @@ -3912,6 +4087,7 @@ rule Invoke_Metasploit { rule PowerShell_Mal_HackTool_Gen { meta: description = "Detects PowerShell hack tool samples - generic PE loader" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-11-02" @@ -3928,6 +4104,7 @@ rule PowerShell_Mal_HackTool_Gen { rule Sig_RemoteAdmin_1 { meta: description = "Detects strings from well-known APT malware" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-12-03" @@ -3942,6 +4119,7 @@ rule Sig_RemoteAdmin_1 { rule RemCom_RemoteCommandExecution { meta: description = "Detects strings from RemCom tool" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/tezXZt" date = "2017-12-28" @@ -3957,6 +4135,7 @@ rule RemCom_RemoteCommandExecution { rule Crackmapexec_EXE { meta: description = "Detects CrackMapExec hack tool" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-04-06" @@ -3973,6 +4152,7 @@ rule Crackmapexec_EXE { rule SUSP_Imphash_PassRevealer_PY_EXE { meta: description = "Detects an imphash used by password revealer and hack tools" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-04-06" @@ -3990,6 +4170,7 @@ rule SUSP_Imphash_PassRevealer_PY_EXE { rule MAL_Unknown_PWDumper_Apr18_3 { meta: description = "Detects sample from unknown sample set - IL origin" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2018-04-06" @@ -4009,6 +4190,7 @@ rule MAL_Unknown_PWDumper_Apr18_3 { rule ProcessInjector_Gen { meta: description = "Detects a process injection utility that can be used ofr good and bad purposes" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c" date = "2018-04-23" diff --git a/yara/thor-webshells.yar b/yara/thor-webshells.yar index 405feb4..bbdb41d 100644 --- a/yara/thor-webshells.yar +++ b/yara/thor-webshells.yar @@ -17,6 +17,7 @@ rule Weevely_Webshell { meta: description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html" date = "2014/12/14" @@ -34,6 +35,7 @@ rule Weevely_Webshell { rule webshell_h4ntu_shell_powered_by_tsoi_ { meta: description = "Web Shell - file h4ntu shell [powered by tsoi].php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -49,6 +51,7 @@ rule webshell_h4ntu_shell_powered_by_tsoi_ { rule webshell_PHP_sql { meta: description = "Web Shell - file sql.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -62,6 +65,7 @@ rule webshell_PHP_sql { rule webshell_PHP_a { meta: description = "Web Shell - file a.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -76,6 +80,7 @@ rule webshell_PHP_a { rule webshell_iMHaPFtp_2 { meta: description = "Web Shell - file iMHaPFtp.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -89,6 +94,7 @@ rule webshell_iMHaPFtp_2 { rule webshell_Jspspyweb { meta: description = "Web Shell - file Jspspyweb.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -102,6 +108,7 @@ rule webshell_Jspspyweb { rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 { meta: description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -115,6 +122,7 @@ rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 { rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend { meta: description = "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -128,6 +136,7 @@ rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend { rule webshell_phpshell_2_1_pwhash { meta: description = "Web Shell - file pwhash.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -141,6 +150,7 @@ rule webshell_phpshell_2_1_pwhash { rule webshell_PHPRemoteView { meta: description = "Web Shell - file PHPRemoteView.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -154,6 +164,7 @@ rule webshell_PHPRemoteView { rule webshell_jsp_12302 { meta: description = "Web Shell - file 12302.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -168,6 +179,7 @@ rule webshell_jsp_12302 { rule webshell_caidao_shell_guo { meta: description = "Web Shell - file guo.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -181,6 +193,7 @@ rule webshell_caidao_shell_guo { rule webshell_PHP_redcod { meta: description = "Web Shell - file redcod.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -194,6 +207,7 @@ rule webshell_PHP_redcod { rule webshell_remview_fix { meta: description = "Web Shell - file remview_fix.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -207,6 +221,7 @@ rule webshell_remview_fix { rule webshell_asp_cmd { meta: description = "Web Shell - file cmd.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -221,6 +236,7 @@ rule webshell_asp_cmd { rule webshell_php_sh_server { meta: description = "Web Shell - file server.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 50 @@ -233,6 +249,7 @@ rule webshell_php_sh_server { rule webshell_PH_Vayv_PH_Vayv { meta: description = "Web Shell - file PH Vayv.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -246,6 +263,7 @@ rule webshell_PH_Vayv_PH_Vayv { rule webshell_caidao_shell_ice { meta: description = "Web Shell - file ice.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -258,6 +276,7 @@ rule webshell_caidao_shell_ice { rule webshell_cihshell_fix { meta: description = "Web Shell - file cihshell_fix.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -271,6 +290,7 @@ rule webshell_cihshell_fix { rule webshell_asp_shell { meta: description = "Web Shell - file shell.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -284,6 +304,7 @@ rule webshell_asp_shell { rule webshell_Private_i3lue { meta: description = "Web Shell - file Private-i3lue.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -296,6 +317,7 @@ rule webshell_Private_i3lue { rule webshell_php_up { meta: description = "Web Shell - file up.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -310,6 +332,7 @@ rule webshell_php_up { rule webshell_Mysql_interface_v1_0 { meta: description = "Web Shell - file Mysql interface v1.0.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -322,6 +345,7 @@ rule webshell_Mysql_interface_v1_0 { rule webshell_php_s_u { meta: description = "Web Shell - file s-u.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -334,6 +358,7 @@ rule webshell_php_s_u { rule webshell_phpshell_2_1_config { meta: description = "Web Shell - file config.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -346,6 +371,7 @@ rule webshell_phpshell_2_1_config { rule webshell_asp_EFSO_2 { meta: description = "Web Shell - file EFSO_2.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -358,6 +384,7 @@ rule webshell_asp_EFSO_2 { rule webshell_jsp_up { meta: description = "Web Shell - file up.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -370,6 +397,7 @@ rule webshell_jsp_up { rule webshell_NetworkFileManagerPHP { meta: description = "Web Shell - file NetworkFileManagerPHP.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -382,6 +410,7 @@ rule webshell_NetworkFileManagerPHP { rule webshell_Server_Variables { meta: description = "Web Shell - file Server Variables.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -395,6 +424,7 @@ rule webshell_Server_Variables { rule webshell_caidao_shell_ice_2 { meta: description = "Web Shell - file ice.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -407,6 +437,7 @@ rule webshell_caidao_shell_ice_2 { rule webshell_caidao_shell_mdb { meta: description = "Web Shell - file mdb.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -419,6 +450,7 @@ rule webshell_caidao_shell_mdb { rule webshell_jsp_guige { meta: description = "Web Shell - file guige.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -431,6 +463,7 @@ rule webshell_jsp_guige { rule webshell_phpspy2010 { meta: description = "Web Shell - file phpspy2010.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -445,6 +478,7 @@ rule webshell_phpspy2010 { rule webshell_asp_ice { meta: description = "Web Shell - file ice.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -457,6 +491,7 @@ rule webshell_asp_ice { rule webshell_drag_system { meta: description = "Web Shell - file system.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -469,6 +504,7 @@ rule webshell_drag_system { rule webshell_DarkBlade1_3_asp_indexx { meta: description = "Web Shell - file indexx.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -481,6 +517,7 @@ rule webshell_DarkBlade1_3_asp_indexx { rule webshell_phpshell3 { meta: description = "Web Shell - file phpshell3.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -495,6 +532,7 @@ rule webshell_phpshell3 { rule webshell_jsp_hsxa { meta: description = "Web Shell - file hsxa.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -507,6 +545,7 @@ rule webshell_jsp_hsxa { rule webshell_jsp_utils { meta: description = "Web Shell - file utils.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -520,6 +559,7 @@ rule webshell_jsp_utils { rule webshell_asp_01 { meta: description = "Web Shell - file 01.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 50 @@ -532,6 +572,7 @@ rule webshell_asp_01 { rule webshell_asp_404 { meta: description = "Web Shell - file 404.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -544,6 +585,7 @@ rule webshell_asp_404 { rule webshell_webshell_cnseay02_1 { meta: description = "Web Shell - file webshell-cnseay02-1.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -556,6 +598,7 @@ rule webshell_webshell_cnseay02_1 { rule webshell_php_fbi { meta: description = "Web Shell - file fbi.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -568,6 +611,7 @@ rule webshell_php_fbi { rule webshell_B374kPHP_B374k { meta: description = "Web Shell - file B374k.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -583,6 +627,7 @@ rule webshell_B374kPHP_B374k { rule webshell_cmd_asp_5_1 { meta: description = "Web Shell - file cmd-asp-5.1.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -595,6 +640,7 @@ rule webshell_cmd_asp_5_1 { rule webshell_php_dodo_zip { meta: description = "Web Shell - file zip.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -608,6 +654,7 @@ rule webshell_php_dodo_zip { rule webshell_aZRaiLPhp_v1_0 { meta: description = "Web Shell - file aZRaiLPhp v1.0.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -621,6 +668,7 @@ rule webshell_aZRaiLPhp_v1_0 { rule webshell_php_list { meta: description = "Web Shell - file list.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -635,6 +683,7 @@ rule webshell_php_list { rule webshell_ironshell { meta: description = "Web Shell - file ironshell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -648,6 +697,7 @@ rule webshell_ironshell { rule webshell_caidao_shell_404 { meta: description = "Web Shell - file 404.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -660,6 +710,7 @@ rule webshell_caidao_shell_404 { rule webshell_ASP_aspydrv { meta: description = "Web Shell - file aspydrv.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -672,6 +723,7 @@ rule webshell_ASP_aspydrv { rule webshell_jsp_web { meta: description = "Web Shell - file web.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -684,6 +736,7 @@ rule webshell_jsp_web { rule webshell_mysqlwebsh { meta: description = "Web Shell - file mysqlwebsh.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -696,6 +749,7 @@ rule webshell_mysqlwebsh { rule webshell_jspShell { meta: description = "Web Shell - file jspShell.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -709,6 +763,7 @@ rule webshell_jspShell { rule webshell_Dx_Dx { meta: description = "Web Shell - file Dx.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -722,6 +777,7 @@ rule webshell_Dx_Dx { rule webshell_asp_ntdaddy { meta: description = "Web Shell - file ntdaddy.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -735,6 +791,7 @@ rule webshell_asp_ntdaddy { rule webshell_MySQL_Web_Interface_Version_0_8 { meta: description = "Web Shell - file MySQL Web Interface Version 0.8.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -747,6 +804,7 @@ rule webshell_MySQL_Web_Interface_Version_0_8 { rule webshell_elmaliseker_2 { meta: description = "Web Shell - file elmaliseker.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -760,6 +818,7 @@ rule webshell_elmaliseker_2 { rule webshell_ASP_RemExp { meta: description = "Web Shell - file RemExp.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -773,6 +832,7 @@ rule webshell_ASP_RemExp { rule webshell_jsp_list1 { meta: description = "Web Shell - file list1.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -786,6 +846,7 @@ rule webshell_jsp_list1 { rule webshell_phpkit_1_0_odd { meta: description = "Web Shell - file odd.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -800,6 +861,7 @@ rule webshell_phpkit_1_0_odd { rule webshell_jsp_123 { meta: description = "Web Shell - file 123.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -814,6 +876,7 @@ rule webshell_jsp_123 { rule webshell_asp_1 { meta: description = "Web Shell - file 1.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -827,6 +890,7 @@ rule webshell_asp_1 { rule webshell_ASP_tool { meta: description = "Web Shell - file tool.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -841,6 +905,7 @@ rule webshell_ASP_tool { rule webshell_cmd_win32 { meta: description = "Web Shell - file cmd_win32.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -854,6 +919,7 @@ rule webshell_cmd_win32 { rule webshell_jsp_jshell { meta: description = "Web Shell - file jshell.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -870,6 +936,7 @@ rule webshell_jsp_jshell { rule webshell_ASP_zehir4 { meta: description = "Web Shell - file zehir4.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -882,6 +949,7 @@ rule webshell_ASP_zehir4 { rule webshell_wsb_idc { meta: description = "Web Shell - file idc.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -895,6 +963,7 @@ rule webshell_wsb_idc { rule webshell_cpg_143_incl_xpl { meta: description = "Web Shell - file cpg_143_incl_xpl.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -908,6 +977,7 @@ rule webshell_cpg_143_incl_xpl { rule webshell_mumaasp_com { meta: description = "Web Shell - file mumaasp.com.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -920,6 +990,7 @@ rule webshell_mumaasp_com { rule webshell_php_404 { meta: description = "Web Shell - file 404.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -932,6 +1003,7 @@ rule webshell_php_404 { rule webshell_webshell_cnseay_x { meta: description = "Web Shell - file webshell-cnseay-x.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -944,6 +1016,7 @@ rule webshell_webshell_cnseay_x { rule webshell_asp_up { meta: description = "Web Shell - file up.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -957,6 +1030,7 @@ rule webshell_asp_up { rule webshell_phpkit_0_1a_odd { meta: description = "Web Shell - file odd.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -972,6 +1046,7 @@ rule webshell_phpkit_0_1a_odd { rule webshell_ASP_cmd { meta: description = "Web Shell - file cmd.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -984,6 +1059,7 @@ rule webshell_ASP_cmd { rule webshell_PHP_Shell_x3 { meta: description = "Web Shell - file PHP Shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -998,6 +1074,7 @@ rule webshell_PHP_Shell_x3 { rule webshell_PHP_g00nv13 { meta: description = "Web Shell - file g00nv13.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1011,6 +1088,7 @@ rule webshell_PHP_g00nv13 { rule webshell_php_h6ss { meta: description = "Web Shell - file h6ss.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1023,6 +1101,7 @@ rule webshell_php_h6ss { rule webshell_jsp_zx { meta: description = "Web Shell - file zx.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1035,6 +1114,7 @@ rule webshell_jsp_zx { rule webshell_Ani_Shell { meta: description = "Web Shell - file Ani-Shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1049,6 +1129,7 @@ rule webshell_Ani_Shell { rule webshell_jsp_k8cmd { meta: description = "Web Shell - file k8cmd.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1062,6 +1143,7 @@ rule webshell_jsp_k8cmd { rule webshell_jsp_cmd { meta: description = "Web Shell - file cmd.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1075,6 +1157,7 @@ rule webshell_jsp_cmd { rule webshell_jsp_k81 { meta: description = "Web Shell - file k81.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1088,6 +1171,7 @@ rule webshell_jsp_k81 { rule webshell_ASP_zehir { meta: description = "Web Shell - file zehir.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1100,6 +1184,7 @@ rule webshell_ASP_zehir { rule webshell_Worse_Linux_Shell { meta: description = "Web Shell - file Worse Linux Shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1112,6 +1197,7 @@ rule webshell_Worse_Linux_Shell { rule webshell_zacosmall { meta: description = "Web Shell - file zacosmall.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1124,6 +1210,7 @@ rule webshell_zacosmall { rule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit { meta: description = "Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1136,6 +1223,7 @@ rule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit { rule webshell_redirect { meta: description = "Web Shell - file redirect.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1148,6 +1236,7 @@ rule webshell_redirect { rule webshell_jsp_cmdjsp { meta: description = "Web Shell - file cmdjsp.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1160,6 +1249,7 @@ rule webshell_jsp_cmdjsp { rule webshell_Java_Shell { meta: description = "Web Shell - file Java Shell.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1173,6 +1263,7 @@ rule webshell_Java_Shell { rule webshell_asp_1d { meta: description = "Web Shell - file 1d.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1185,6 +1276,7 @@ rule webshell_asp_1d { rule webshell_jsp_IXRbE { meta: description = "Web Shell - file IXRbE.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1197,6 +1289,7 @@ rule webshell_jsp_IXRbE { rule webshell_PHP_G5 { meta: description = "Web Shell - file G5.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1209,6 +1302,7 @@ rule webshell_PHP_G5 { rule webshell_PHP_r57142 { meta: description = "Web Shell - file r57142.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1221,6 +1315,7 @@ rule webshell_PHP_r57142 { rule webshell_jsp_tree { meta: description = "Web Shell - file tree.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1234,6 +1329,7 @@ rule webshell_jsp_tree { rule webshell_C99madShell_v_3_0_smowu { meta: description = "Web Shell - file smowu.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1247,6 +1343,7 @@ rule webshell_C99madShell_v_3_0_smowu { rule webshell_simple_backdoor { meta: description = "Web Shell - file simple-backdoor.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1261,6 +1358,7 @@ rule webshell_simple_backdoor { rule webshell_PHP_404 { meta: description = "Web Shell - file 404.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1273,6 +1371,7 @@ rule webshell_PHP_404 { rule webshell_Macker_s_Private_PHPShell { meta: description = "Web Shell - file Macker's Private PHPShell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1287,6 +1386,7 @@ rule webshell_Macker_s_Private_PHPShell { rule webshell_Antichat_Shell_v1_3_2 { meta: description = "Web Shell - file Antichat Shell v1.3.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1299,6 +1399,7 @@ rule webshell_Antichat_Shell_v1_3_2 { rule webshell_Safe_mode_breaker { meta: description = "Web Shell - file Safe mode breaker.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1312,6 +1413,7 @@ rule webshell_Safe_mode_breaker { rule webshell_Sst_Sheller { meta: description = "Web Shell - file Sst-Sheller.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1325,6 +1427,7 @@ rule webshell_Sst_Sheller { rule webshell_jsp_list { meta: description = "Web Shell - file list.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1339,6 +1442,7 @@ rule webshell_jsp_list { rule webshell_PHPJackal_v1_5 { meta: description = "Web Shell - file PHPJackal v1.5.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1352,6 +1456,7 @@ rule webshell_PHPJackal_v1_5 { rule webshell_customize { meta: description = "Web Shell - file customize.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1364,6 +1469,7 @@ rule webshell_customize { rule webshell_s72_Shell_v1_1_Coding { meta: description = "Web Shell - file s72 Shell v1.1 Coding.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1376,6 +1482,7 @@ rule webshell_s72_Shell_v1_1_Coding { rule webshell_jsp_sys3 { meta: description = "Web Shell - file sys3.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1390,6 +1497,7 @@ rule webshell_jsp_sys3 { rule webshell_jsp_guige02 { meta: description = "Web Shell - file guige02.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1403,6 +1511,7 @@ rule webshell_jsp_guige02 { rule webshell_php_ghost { meta: description = "Web Shell - file ghost.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1417,6 +1526,7 @@ rule webshell_php_ghost { rule webshell_WinX_Shell { meta: description = "Web Shell - file WinX Shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1430,6 +1540,7 @@ rule webshell_WinX_Shell { rule webshell_Crystal_Crystal { meta: description = "Web Shell - file Crystal.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1443,6 +1554,7 @@ rule webshell_Crystal_Crystal { rule webshell_r57_1_4_0 { meta: description = "Web Shell - file r57.1.4.0.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1458,6 +1570,7 @@ rule webshell_r57_1_4_0 { rule webshell_jsp_hsxa1 { meta: description = "Web Shell - file hsxa1.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1470,6 +1583,7 @@ rule webshell_jsp_hsxa1 { rule webshell_asp_ajn { meta: description = "Web Shell - file ajn.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1483,6 +1597,7 @@ rule webshell_asp_ajn { rule webshell_php_cmd { meta: description = "Web Shell - file cmd.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1497,6 +1612,7 @@ rule webshell_php_cmd { rule webshell_asp_list { meta: description = "Web Shell - file list.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1510,6 +1626,7 @@ rule webshell_asp_list { rule webshell_PHP_co { meta: description = "Web Shell - file co.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1523,6 +1640,7 @@ rule webshell_PHP_co { rule webshell_PHP_150 { meta: description = "Web Shell - file 150.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1536,6 +1654,7 @@ rule webshell_PHP_150 { rule webshell_jsp_cmdjsp_2 { meta: description = "Web Shell - file cmdjsp.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1549,6 +1668,7 @@ rule webshell_jsp_cmdjsp_2 { rule webshell_PHP_c37 { meta: description = "Web Shell - file c37.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1562,6 +1682,7 @@ rule webshell_PHP_c37 { rule webshell_PHP_b37 { meta: description = "Web Shell - file b37.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1574,6 +1695,7 @@ rule webshell_PHP_b37 { rule webshell_php_backdoor { meta: description = "Web Shell - file php-backdoor.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1587,6 +1709,7 @@ rule webshell_php_backdoor { rule webshell_asp_dabao { meta: description = "Web Shell - file dabao.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1600,6 +1723,7 @@ rule webshell_asp_dabao { rule webshell_php_2 { meta: description = "Web Shell - file 2.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1612,6 +1736,7 @@ rule webshell_php_2 { rule webshell_asp_cmdasp { meta: description = "Web Shell - file cmdasp.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1625,6 +1750,7 @@ rule webshell_asp_cmdasp { rule webshell_spjspshell { meta: description = "Web Shell - file spjspshell.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1637,6 +1763,7 @@ rule webshell_spjspshell { rule webshell_jsp_action { meta: description = "Web Shell - file action.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1650,6 +1777,7 @@ rule webshell_jsp_action { rule webshell_Inderxer { meta: description = "Web Shell - file Inderxer.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1662,6 +1790,7 @@ rule webshell_Inderxer { rule webshell_asp_Rader { meta: description = "Web Shell - file Rader.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1675,6 +1804,7 @@ rule webshell_asp_Rader { rule webshell_c99_madnet_smowu { meta: description = "Web Shell - file smowu.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1692,6 +1822,7 @@ rule webshell_c99_madnet_smowu { rule webshell_php_moon { meta: description = "Web Shell - file moon.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1706,6 +1837,7 @@ rule webshell_php_moon { rule webshell_jsp_jdbc { meta: description = "Web Shell - file jdbc.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1718,6 +1850,7 @@ rule webshell_jsp_jdbc { rule webshell_minupload { meta: description = "Web Shell - file minupload.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1731,6 +1864,7 @@ rule webshell_minupload { rule webshell_ELMALISEKER_Backd00r { meta: description = "Web Shell - file ELMALISEKER Backd00r.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1744,6 +1878,7 @@ rule webshell_ELMALISEKER_Backd00r { rule webshell_PHP_bug_1_ { meta: description = "Web Shell - file bug (1).php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1756,6 +1891,7 @@ rule webshell_PHP_bug_1_ { rule webshell_caidao_shell_hkmjj { meta: description = "Web Shell - file hkmjj.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1768,6 +1904,7 @@ rule webshell_caidao_shell_hkmjj { rule webshell_jsp_asd { meta: description = "Web Shell - file asd.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1781,6 +1918,7 @@ rule webshell_jsp_asd { rule webshell_jsp_inback3 { meta: description = "Web Shell - file inback3.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1793,6 +1931,7 @@ rule webshell_jsp_inback3 { rule webshell_metaslsoft { meta: description = "Web Shell - file metaslsoft.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1805,6 +1944,7 @@ rule webshell_metaslsoft { rule webshell_asp_Ajan { meta: description = "Web Shell - file Ajan.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1817,6 +1957,7 @@ rule webshell_asp_Ajan { rule webshell_config_myxx_zend { meta: description = "Web Shell - from files config.jsp, myxx.jsp, zend.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1832,6 +1973,7 @@ rule webshell_config_myxx_zend { rule webshell_browser_201_3_ma_download { meta: description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1850,6 +1992,7 @@ rule webshell_browser_201_3_ma_download { rule webshell_itsec_itsecteam_shell_jHn { meta: description = "Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1866,6 +2009,7 @@ rule webshell_itsec_itsecteam_shell_jHn { rule webshell_ghost_source_icesword_silic { meta: description = "Web Shell - from files ghost_source.php, icesword.php, silic.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1882,6 +2026,7 @@ rule webshell_ghost_source_icesword_silic { rule webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1924,6 +2069,7 @@ rule webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx { rule webshell_2_520_job_ma1_ma4_2 { meta: description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1943,6 +2089,7 @@ rule webshell_2_520_job_ma1_ma4_2 { rule webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -1988,6 +2135,7 @@ rule webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_ rule webshell_wso2_5_1_wso2_5_wso2 { meta: description = "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2004,6 +2152,7 @@ rule webshell_wso2_5_1_wso2_5_wso2 { rule webshell_000_403_c5_queryDong_spyjsp2010_t00ls { meta: description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2023,6 +2172,7 @@ rule webshell_000_403_c5_queryDong_spyjsp2010_t00ls { rule webshell_404_data_suiyue { meta: description = "Web Shell - from files 404.jsp, data.jsp, suiyue.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2038,6 +2188,7 @@ rule webshell_404_data_suiyue { rule webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2062,6 +2213,7 @@ rule webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx { rule webshell_807_a_css_dm_he1p_JspSpy_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2099,6 +2251,7 @@ rule webshell_807_a_css_dm_he1p_JspSpy_xxx { rule webshell_201_3_ma_download { meta: description = "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2117,6 +2270,7 @@ rule webshell_201_3_ma_download { rule webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2143,6 +2297,7 @@ rule webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc rule webshell_shell_phpspy_2006_arabicspy { meta: description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2159,6 +2314,7 @@ rule webshell_shell_phpspy_2006_arabicspy { rule webshell_in_JFolder_jfolder01_jsp_leo_warn { meta: description = "Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2178,6 +2334,7 @@ rule webshell_in_JFolder_jfolder01_jsp_leo_warn { rule webshell_2_520_icesword_job_ma1_ma4_2 { meta: description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2199,6 +2356,7 @@ rule webshell_2_520_icesword_job_ma1_ma4_2 { rule webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY { meta: description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2216,6 +2374,7 @@ rule webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY { rule webshell_shell_phpspy_2006_arabicspy_hkrkoz { meta: description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2232,6 +2391,7 @@ rule webshell_shell_phpspy_2006_arabicspy_hkrkoz { rule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2250,6 +2410,7 @@ rule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx { rule webshell_2008_2009lite_2009mssql { meta: description = "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2266,6 +2427,7 @@ rule webshell_2008_2009lite_2009mssql { rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2286,6 +2448,7 @@ rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPS rule webshell_807_dm_JspSpyJDK5_m_cofigrue { meta: description = "Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2304,6 +2467,7 @@ rule webshell_807_dm_JspSpyJDK5_m_cofigrue { rule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2320,6 +2484,7 @@ rule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx { rule webshell_404_data_in_JFolder_jfolder01_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2341,6 +2506,7 @@ rule webshell_404_data_in_JFolder_jfolder01_xxx { rule webshell_jsp_reverse_jsp_reverse_jspbd { meta: description = "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" super_rule = 1 @@ -2358,6 +2524,7 @@ rule webshell_jsp_reverse_jsp_reverse_jspbd { rule webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc { meta: description = "Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2381,6 +2548,7 @@ rule webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc { rule webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 { meta: description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2402,6 +2570,7 @@ rule webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 { rule webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 60 @@ -2425,6 +2594,7 @@ rule webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz rule webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2449,6 +2619,7 @@ rule webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx { rule webshell_itsec_PHPJackal_itsecteam_shell_jHn { meta: description = "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2467,6 +2638,7 @@ rule webshell_itsec_PHPJackal_itsecteam_shell_jHn { rule webshell_Shell_ci_Biz_was_here_c100_v_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2486,6 +2658,7 @@ rule webshell_Shell_ci_Biz_was_here_c100_v_xxx { rule webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2504,6 +2677,7 @@ rule webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 { rule webshell_c99_c99shell_c99_w4cking_Shell_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2531,6 +2705,7 @@ rule webshell_c99_c99shell_c99_w4cking_Shell_xxx { rule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2552,6 +2727,7 @@ rule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz { rule webshell_c99_c66_c99_shadows_mod_c99shell { meta: description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2573,6 +2749,7 @@ rule webshell_c99_c66_c99_shadows_mod_c99shell { rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 { meta: description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2595,6 +2772,7 @@ rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 { rule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend { meta: description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2617,6 +2795,7 @@ rule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend { rule webshell_c99_c99shell_c99_c99shell { meta: description = "Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2634,6 +2813,7 @@ rule webshell_c99_c99shell_c99_c99shell { rule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat { meta: description = "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2654,6 +2834,7 @@ rule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat { rule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2672,6 +2853,7 @@ rule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx { rule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2721,6 +2903,7 @@ rule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx { rule webshell_2_520_icesword_job_ma1 { meta: description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2740,6 +2923,7 @@ rule webshell_2_520_icesword_job_ma1 { rule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn { meta: description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2764,6 +2948,7 @@ rule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn { rule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY { meta: description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2783,6 +2968,7 @@ rule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY { rule webshell_c99_locus7s_c99_w4cking_xxx { meta: description = "Web Shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2811,6 +2997,7 @@ rule webshell_c99_locus7s_c99_w4cking_xxx { rule webshell_browser_201_3_ma_ma2_download { meta: description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2831,6 +3018,7 @@ rule webshell_browser_201_3_ma_ma2_download { rule webshell_000_403_c5_queryDong_spyjsp2010 { meta: description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2851,6 +3039,7 @@ rule webshell_000_403_c5_queryDong_spyjsp2010 { rule webshell_r57shell127_r57_kartal_r57 { meta: description = "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/01/28" score = 70 @@ -2869,6 +3058,7 @@ rule webshell_r57shell127_r57_kartal_r57 { rule webshell_webshells_new_con2 { meta: description = "Web shells - generated from file con2.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -2882,6 +3072,7 @@ rule webshell_webshells_new_con2 { rule webshell_webshells_new_make2 { meta: description = "Web shells - generated from file make2.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" hash = "9af195491101e0816a263c106e4c145e" @@ -2894,6 +3085,7 @@ rule webshell_webshells_new_make2 { rule webshell_webshells_new_aaa { meta: description = "Web shells - generated from file aaa.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -2908,6 +3100,7 @@ rule webshell_webshells_new_aaa { rule webshell_Expdoor_com_ASP { meta: description = "Web shells - generated from file Expdoor.com ASP.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -2924,6 +3117,7 @@ rule webshell_Expdoor_com_ASP { rule webshell_webshells_new_php2 { meta: description = "Web shells - generated from file php2.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -2936,6 +3130,7 @@ rule webshell_webshells_new_php2 { rule webshell_bypass_iisuser_p { meta: description = "Web shells - generated from file bypass-iisuser-p.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -2948,6 +3143,7 @@ rule webshell_bypass_iisuser_p { rule webshell_sig_404super { meta: description = "Web shells - generated from file 404super.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -2965,6 +3161,7 @@ rule webshell_sig_404super { rule webshell_webshells_new_JSP { meta: description = "Web shells - generated from file JSP.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -2979,6 +3176,7 @@ rule webshell_webshells_new_JSP { rule webshell_webshell_123 { meta: description = "Web shells - generated from file webshell-123.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -2994,6 +3192,7 @@ rule webshell_webshell_123 { rule webshell_dev_core { meta: description = "Web shells - generated from file dev_core.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3011,6 +3210,7 @@ rule webshell_dev_core { rule webshell_webshells_new_pHp { meta: description = "Web shells - generated from file pHp.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3027,6 +3227,7 @@ rule webshell_webshells_new_pHp { rule webshell_webshells_new_pppp { meta: description = "Web shells - generated from file pppp.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3041,6 +3242,7 @@ rule webshell_webshells_new_pppp { rule webshell_webshells_new_code { meta: description = "Web shells - generated from file code.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3057,6 +3259,7 @@ rule webshell_webshells_new_code { rule webshell_webshells_new_jspyyy { meta: description = "Web shells - generated from file jspyyy.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3069,6 +3272,7 @@ rule webshell_webshells_new_jspyyy { rule webshell_webshells_new_xxxx { meta: description = "Web shells - generated from file xxxx.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3081,6 +3285,7 @@ rule webshell_webshells_new_xxxx { rule webshell_webshells_new_JJjsp3 { meta: description = "Web shells - generated from file JJjsp3.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3093,6 +3298,7 @@ rule webshell_webshells_new_JJjsp3 { rule webshell_webshells_new_PHP1 { meta: description = "Web shells - generated from file PHP1.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3107,6 +3313,7 @@ rule webshell_webshells_new_PHP1 { rule webshell_webshells_new_JJJsp2 { meta: description = "Web shells - generated from file JJJsp2.jsp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3122,6 +3329,7 @@ rule webshell_webshells_new_JJJsp2 { rule webshell_webshells_new_radhat { meta: description = "Web shells - generated from file radhat.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3134,6 +3342,7 @@ rule webshell_webshells_new_radhat { rule webshell_webshells_new_asp1 { meta: description = "Web shells - generated from file asp1.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3147,6 +3356,7 @@ rule webshell_webshells_new_asp1 { rule webshell_webshells_new_php6 { meta: description = "Web shells - generated from file php6.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3161,6 +3371,7 @@ rule webshell_webshells_new_php6 { rule webshell_webshells_new_xxx { meta: description = "Web shells - generated from file xxx.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3173,6 +3384,7 @@ rule webshell_webshells_new_xxx { rule webshell_GetPostpHp { meta: description = "Web shells - generated from file GetPostpHp.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3185,6 +3397,7 @@ rule webshell_GetPostpHp { rule webshell_webshells_new_php5 { meta: description = "Web shells - generated from file php5.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3197,6 +3410,7 @@ rule webshell_webshells_new_php5 { rule webshell_webshells_new_PHP { meta: description = "Web shells - generated from file PHP.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -3213,6 +3427,7 @@ rule webshell_webshells_new_PHP { rule webshell_webshells_new_Asp { meta: description = "Web shells - generated from file Asp.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/03/28" score = 70 @@ -5010,6 +5225,7 @@ rule _nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alp rule DarkSecurityTeam_Webshell { meta: description = "Dark Security Team Webshell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24" score = 50 @@ -5023,6 +5239,7 @@ rule PHP_Cloaked_Webshell_SuperFetchExec { meta: description = "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC" reference = "http://goo.gl/xFvioC" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 50 strings: @@ -5036,6 +5253,7 @@ rule PHP_Cloaked_Webshell_SuperFetchExec { rule WebShell_RemExp_asp_php { meta: description = "PHP Webshells Github Archive - file RemExp.asp.php.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d9919dcf94a70d5180650de8b81669fa1c10c5a2" strings: @@ -5050,6 +5268,7 @@ rule WebShell_RemExp_asp_php { rule WebShell_dC3_Security_Crew_Shell_PRiV { meta: description = "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1b2a4a7174ca170b4e3a8cdf4814c92695134c8a" strings: @@ -5065,6 +5284,7 @@ rule WebShell_dC3_Security_Crew_Shell_PRiV { rule WebShell_simattacker { meta: description = "PHP Webshells Github Archive - file simattacker.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "258297b62aeaf4650ce04642ad5f19be25ec29c9" strings: @@ -5082,6 +5302,7 @@ rule WebShell_simattacker { rule WebShell_DTool_Pro { meta: description = "PHP Webshells Github Archive - file DTool Pro.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "e2ee1c7ba7b05994f65710b7bbf935954f2c3353" strings: @@ -5099,6 +5320,7 @@ rule WebShell_DTool_Pro { rule WebShell_ironshell { meta: description = "PHP Webshells Github Archive - file ironshell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d47b8ba98ea8061404defc6b3a30839c4444a262" strings: @@ -5116,6 +5338,7 @@ rule WebShell_ironshell { rule WebShell_indexer_asp_php { meta: description = "PHP Webshells Github Archive - file indexer.asp.php.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "e9a7aa5eb1fb228117dc85298c7d3ecd8e288a2d" strings: @@ -5131,6 +5354,7 @@ rule WebShell_indexer_asp_php { rule WebShell_toolaspshell { meta: description = "PHP Webshells Github Archive - file toolaspshell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "11d236b0d1c2da30828ffd2f393dd4c6a1022e3f" strings: @@ -5143,6 +5367,7 @@ rule WebShell_toolaspshell { rule WebShell_b374k_mini_shell_php_php { meta: description = "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "afb88635fbdd9ebe86b650cc220d3012a8c35143" strings: @@ -5155,6 +5380,7 @@ rule WebShell_b374k_mini_shell_php_php { rule WebShell_Sincap_1_0 { meta: description = "PHP Webshells Github Archive - file Sincap 1.0.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "9b72635ff1410fa40c4e15513ae3a496d54f971c" strings: @@ -5169,6 +5395,7 @@ rule WebShell_Sincap_1_0 { rule WebShell_b374k_php { meta: description = "PHP Webshells Github Archive - file b374k.php.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "04c99efd187cf29dc4e5603c51be44170987bce2" strings: @@ -5183,6 +5410,7 @@ rule WebShell_b374k_php { rule WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend { meta: description = "PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "6454cc5ab73143d72cf0025a81bd1fe710351b44" strings: @@ -5199,6 +5427,7 @@ rule WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend { rule WebShell_h4ntu_shell__powered_by_tsoi_ { meta: description = "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "cbca8cd000e705357e2a7e0cf8262678706f18f9" strings: @@ -5214,6 +5443,7 @@ rule WebShell_h4ntu_shell__powered_by_tsoi_ { rule WebShell_php_webshells_MyShell { meta: description = "PHP Webshells Github Archive - file MyShell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "42e283c594c4d061f80a18f5ade0717d3fb2f76d" strings: @@ -5231,6 +5461,7 @@ rule WebShell_php_webshells_MyShell { rule WebShell_php_webshells_pws { meta: description = "PHP Webshells Github Archive - file pws.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "7a405f1c179a84ff8ac09a42177a2bcd8a1a481b" strings: @@ -5246,6 +5477,7 @@ rule WebShell_php_webshells_pws { rule WebShell_reader_asp_php { meta: description = "PHP Webshells Github Archive - file reader.asp.php.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "70656f3495e2b3ad391a77d5208eec0fb9e2d931" strings: @@ -5259,6 +5491,7 @@ rule WebShell_reader_asp_php { rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 { meta: description = "PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "db076b7c80d2a5279cab2578aa19cb18aea92832" strings: @@ -5274,6 +5507,7 @@ rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 { rule WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit { meta: description = "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b2b797707e09c12ff5e632af84b394ad41a46fa4" strings: @@ -5288,6 +5522,7 @@ rule WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit { rule WebShell_php_backdoor { meta: description = "PHP Webshells Github Archive - file php-backdoor.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b190c03af4f3fb52adc20eb0f5d4d151020c74fe" strings: @@ -5302,6 +5537,7 @@ rule WebShell_php_backdoor { rule WebShell_Worse_Linux_Shell { meta: description = "PHP Webshells Github Archive - file Worse Linux Shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "64623ab1246bc8f7d256b25f244eb2b41f543e96" strings: @@ -5317,6 +5553,7 @@ rule WebShell_Worse_Linux_Shell { rule WebShell_php_webshells_pHpINJ { meta: description = "PHP Webshells Github Archive - file pHpINJ.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "75116bee1ab122861b155cc1ce45a112c28b9596" strings: @@ -5333,6 +5570,7 @@ rule WebShell_php_webshells_pHpINJ { rule WebShell_php_webshells_NGH { meta: description = "PHP Webshells Github Archive - file NGH.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "c05b5deecfc6de972aa4652cb66da89cfb3e1645" strings: @@ -5349,6 +5587,7 @@ rule WebShell_php_webshells_NGH { rule WebShell_php_webshells_matamu { meta: description = "PHP Webshells Github Archive - file matamu.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d477aae6bd2f288b578dbf05c1c46b3aaa474733" strings: @@ -5364,6 +5603,7 @@ rule WebShell_php_webshells_matamu { rule WebShell_ru24_post_sh { meta: description = "PHP Webshells Github Archive - file ru24_post_sh.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d2c18766a1cd4dda928c12ff7b519578ccec0769" strings: @@ -5378,6 +5618,7 @@ rule WebShell_ru24_post_sh { rule WebShell_hiddens_shell_v1 { meta: description = "PHP Webshells Github Archive - file hiddens shell v1.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1674bd40eb98b48427c547bf9143aa7fbe2f4a59" strings: @@ -5388,6 +5629,7 @@ rule WebShell_hiddens_shell_v1 { rule WebShell_c99_madnet { meta: description = "PHP Webshells Github Archive - file c99_madnet.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "17613df393d0a99fd5bea18b2d4707f566cff219" strings: @@ -5402,6 +5644,7 @@ rule WebShell_c99_madnet { rule WebShell_c99_locus7s { meta: description = "PHP Webshells Github Archive - file c99_locus7s.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d413d4700daed07561c9f95e1468fb80238fbf3c" strings: @@ -5416,6 +5659,7 @@ rule WebShell_c99_locus7s { rule WebShell_JspWebshell_1_2 { meta: description = "PHP Webshells Github Archive - file JspWebshell_1.2.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "0bed4a1966117dd872ac9e8dceceb54024a030fa" strings: @@ -5431,6 +5675,7 @@ rule WebShell_JspWebshell_1_2 { rule WebShell_safe0ver { meta: description = "PHP Webshells Github Archive - file safe0ver.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "366639526d92bd38ff7218b8539ac0f154190eb8" strings: @@ -5447,6 +5692,7 @@ rule WebShell_safe0ver { rule WebShell_Uploader { meta: description = "PHP Webshells Github Archive - file Uploader.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "e216c5863a23fde8a449c31660fd413d77cce0b7" strings: @@ -5457,6 +5703,7 @@ rule WebShell_Uploader { rule WebShell_php_webshells_kral { meta: description = "PHP Webshells Github Archive - file kral.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc" strings: @@ -5472,6 +5719,7 @@ rule WebShell_php_webshells_kral { rule WebShell_cgitelnet { meta: description = "PHP Webshells Github Archive - file cgitelnet.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "72e5f0e4cd438e47b6454de297267770a36cbeb3" strings: @@ -5485,6 +5733,7 @@ rule WebShell_cgitelnet { rule WebShell_simple_backdoor { meta: description = "PHP Webshells Github Archive - file simple-backdoor.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "edcd5157a68fa00723a506ca86d6cbb8884ef512" strings: @@ -5503,6 +5752,7 @@ rule WebShell_simple_backdoor { rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 { meta: description = "PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "8fdd4e0e87c044177e9e1c97084eb5b18e2f1c25" strings: @@ -5516,6 +5766,7 @@ rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 { rule WebShell_NTDaddy_v1_9 { meta: description = "PHP Webshells Github Archive - file NTDaddy v1.9.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "79519aa407fff72b7510c6a63c877f2e07d7554b" strings: @@ -5529,6 +5780,7 @@ rule WebShell_NTDaddy_v1_9 { rule WebShell_lamashell { meta: description = "PHP Webshells Github Archive - file lamashell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b71181e0d899b2b07bc55aebb27da6706ea1b560" strings: @@ -5544,6 +5796,7 @@ rule WebShell_lamashell { rule WebShell_Simple_PHP_backdoor_by_DK { meta: description = "PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "03f6215548ed370bec0332199be7c4f68105274e" strings: @@ -5558,6 +5811,7 @@ rule WebShell_Simple_PHP_backdoor_by_DK { rule WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT { meta: description = "PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "31e5473920a2cc445d246bc5820037d8fe383201" strings: @@ -5570,6 +5824,7 @@ rule WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT { rule WebShell_C99madShell_v__2_0_madnet_edition { meta: description = "PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "f99f8228eb12746847f54bad45084f19d1a7e111" strings: @@ -5584,6 +5839,7 @@ rule WebShell_C99madShell_v__2_0_madnet_edition { rule WebShell_CmdAsp_asp_php { meta: description = "PHP Webshells Github Archive - file CmdAsp.asp.php.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "cb18e1ac11e37e236e244b96c2af2d313feda696" strings: @@ -5602,6 +5858,7 @@ rule WebShell_CmdAsp_asp_php { rule WebShell_NCC_Shell { meta: description = "PHP Webshells Github Archive - file NCC-Shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "64d4495875a809b2730bd93bec2e33902ea80a53" strings: @@ -5617,6 +5874,7 @@ rule WebShell_NCC_Shell { rule WebShell_php_webshells_README { meta: description = "PHP Webshells Github Archive - file README.md" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "ef2c567b4782c994db48de0168deb29c812f7204" strings: @@ -5628,6 +5886,7 @@ rule WebShell_php_webshells_README { rule WebShell_backupsql { meta: description = "PHP Webshells Github Archive - file backupsql.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "863e017545ec8e16a0df5f420f2d708631020dd4" strings: @@ -5642,6 +5901,7 @@ rule WebShell_backupsql { rule WebShell_AK_74_Security_Team_Web_Shell_Beta_Version { meta: description = "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "c90b0ba575f432ecc08f8f292f3013b5532fe2c4" strings: @@ -5654,6 +5914,7 @@ rule WebShell_AK_74_Security_Team_Web_Shell_Beta_Version { rule WebShell_php_webshells_cpanel { meta: description = "PHP Webshells Github Archive - file cpanel.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "433dab17106b175c7cf73f4f094e835d453c0874" strings: @@ -5669,6 +5930,7 @@ rule WebShell_php_webshells_cpanel { rule WebShell_accept_language { meta: description = "PHP Webshells Github Archive - file accept_language.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "180b13576f8a5407ab3325671b63750adbcb62c9" strings: @@ -5679,6 +5941,7 @@ rule WebShell_accept_language { rule WebShell_php_webshells_529 { meta: description = "PHP Webshells Github Archive - file 529.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "ba3fb2995528307487dff7d5b624d9f4c94c75d3" strings: @@ -5695,6 +5958,7 @@ rule WebShell_php_webshells_529 { rule WebShell_STNC_WebShell_v0_8 { meta: description = "PHP Webshells Github Archive - file STNC WebShell v0.8.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "52068c9dff65f1caae8f4c60d0225708612bb8bc" strings: @@ -5707,6 +5971,7 @@ rule WebShell_STNC_WebShell_v0_8 { rule WebShell_php_webshells_tryag { meta: description = "PHP Webshells Github Archive - file tryag.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "42d837e9ab764e95ed11b8bd6c29699d13fe4c41" strings: @@ -5721,6 +5986,7 @@ rule WebShell_php_webshells_tryag { rule WebShell_dC3_Security_Crew_Shell_PRiV_2 { meta: description = "PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "9077eb05f4ce19c31c93c2421430dd3068a37f17" strings: @@ -5735,6 +6001,7 @@ rule WebShell_dC3_Security_Crew_Shell_PRiV_2 { rule WebShell_qsd_php_backdoor { meta: description = "PHP Webshells Github Archive - file qsd-php-backdoor.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "4856bce45fc5b3f938d8125f7cdd35a8bbae380f" strings: @@ -5748,6 +6015,7 @@ rule WebShell_qsd_php_backdoor { rule WebShell_php_webshells_spygrup { meta: description = "PHP Webshells Github Archive - file spygrup.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "12f9105332f5dc5d6360a26706cd79afa07fe004" strings: @@ -5761,6 +6029,7 @@ rule WebShell_php_webshells_spygrup { rule WebShell_Web_shell__c_ShAnKaR { meta: description = "PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "3dd4f25bd132beb59d2ae0c813373c9ea20e1b7a" strings: @@ -5774,6 +6043,7 @@ rule WebShell_Web_shell__c_ShAnKaR { rule WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz { meta: description = "PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68" strings: @@ -5787,6 +6057,7 @@ rule WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz { rule WebShell_Gamma_Web_Shell { meta: description = "PHP Webshells Github Archive - file Gamma Web Shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "7ef773df7a2f221468cc8f7683e1ace6b1e8139a" strings: @@ -5800,6 +6071,7 @@ rule WebShell_Gamma_Web_Shell { rule WebShell_php_webshells_aspydrv { meta: description = "PHP Webshells Github Archive - file aspydrv.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "3d8996b625025dc549d73cdb3e5fa678ab35d32a" strings: @@ -5814,6 +6086,7 @@ rule WebShell_php_webshells_aspydrv { rule WebShell_JspWebshell_1_2_2 { meta: description = "PHP Webshells Github Archive - file JspWebshell 1.2.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "184fc72b51d1429c44a4c8de43081e00967cf86b" strings: @@ -5828,6 +6101,7 @@ rule WebShell_JspWebshell_1_2_2 { rule WebShell_g00nshell_v1_3 { meta: description = "PHP Webshells Github Archive - file g00nshell-v1.3.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "70fe072e120249c9e2f0a8e9019f984aea84a504" strings: @@ -5842,6 +6116,7 @@ rule WebShell_g00nshell_v1_3 { rule WebShell_WinX_Shell { meta: description = "PHP Webshells Github Archive - file WinX Shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "a94d65c168344ad9fa406d219bdf60150c02010e" strings: @@ -5856,6 +6131,7 @@ rule WebShell_WinX_Shell { rule WebShell_PHANTASMA { meta: description = "PHP Webshells Github Archive - file PHANTASMA.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "cd12d42abf854cd34ff9e93a80d464620af6d75e" strings: @@ -5869,6 +6145,7 @@ rule WebShell_PHANTASMA { rule WebShell_php_webshells_cw { meta: description = "PHP Webshells Github Archive - file cw.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "e65e0670ef6edf0a3581be6fe5ddeeffd22014bf" strings: @@ -5884,6 +6161,7 @@ rule WebShell_php_webshells_cw { rule WebShell_php_include_w_shell { meta: description = "PHP Webshells Github Archive - file php-include-w-shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1a7f4868691410830ad954360950e37c582b0292" strings: @@ -5896,6 +6174,7 @@ rule WebShell_php_include_w_shell { rule WebShell_mysql_tool { meta: description = "PHP Webshells Github Archive - file mysql_tool.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "c9cf8cafcd4e65d1b57fdee5eef98f0f2de74474" strings: @@ -5907,6 +6186,7 @@ rule WebShell_mysql_tool { rule WebShell_PhpSpy_Ver_2006 { meta: description = "PHP Webshells Github Archive - file PhpSpy Ver 2006.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "34a89e0ab896c3518d9a474b71ee636ca595625d" strings: @@ -5920,6 +6200,7 @@ rule WebShell_PhpSpy_Ver_2006 { rule WebShell_ZyklonShell { meta: description = "PHP Webshells Github Archive - file ZyklonShell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "3fa7e6f3566427196ac47551392e2386a038d61c" strings: @@ -5933,6 +6214,7 @@ rule WebShell_ZyklonShell { rule WebShell_php_webshells_myshell { meta: description = "PHP Webshells Github Archive - file myshell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "5bd52749872d1083e7be076a5e65ffcde210e524" strings: @@ -5946,6 +6228,7 @@ rule WebShell_php_webshells_myshell { rule WebShell_php_webshells_lolipop { meta: description = "PHP Webshells Github Archive - file lolipop.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "86f23baabb90c93465e6851e40104ded5a5164cb" strings: @@ -5958,6 +6241,7 @@ rule WebShell_php_webshells_lolipop { rule WebShell_simple_cmd { meta: description = "PHP Webshells Github Archive - file simple_cmd.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "466a8caf03cdebe07aa16ad490e54744f82e32c2" strings: @@ -5971,6 +6255,7 @@ rule WebShell_simple_cmd { rule WebShell_go_shell { meta: description = "PHP Webshells Github Archive - file go-shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "3dd85981bec33de42c04c53d081c230b5fc0e94f" strings: @@ -5985,6 +6270,7 @@ rule WebShell_go_shell { rule WebShell_aZRaiLPhp_v1_0 { meta: description = "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "a2c609d1a8c8ba3d706d1d70bef69e63f239782b" strings: @@ -5998,6 +6284,7 @@ rule WebShell_aZRaiLPhp_v1_0 { rule WebShell_webshells_zehir4 { meta: description = "Webshells Github Archive - file zehir4" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "788928ae87551f286d189e163e55410acbb90a64" score = 55 @@ -6010,6 +6297,7 @@ rule WebShell_webshells_zehir4 { rule WebShell_zehir4_asp_php { meta: description = "PHP Webshells Github Archive - file zehir4.asp.php.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1d9b78b5b14b821139541cc0deb4cbbd994ce157" strings: @@ -6022,6 +6310,7 @@ rule WebShell_zehir4_asp_php { rule WebShell_php_webshells_lostDC { meta: description = "PHP Webshells Github Archive - file lostDC.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde" strings: @@ -6036,6 +6325,7 @@ rule WebShell_php_webshells_lostDC { rule WebShell_CasuS_1_5 { meta: description = "PHP Webshells Github Archive - file CasuS 1.5.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "7eee8882ad9b940407acc0146db018c302696341" strings: @@ -6048,6 +6338,7 @@ rule WebShell_CasuS_1_5 { rule WebShell_ftpsearch { meta: description = "PHP Webshells Github Archive - file ftpsearch.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "c945f597552ccb8c0309ad6d2831c8cabdf4e2d6" strings: @@ -6061,6 +6352,7 @@ rule WebShell_ftpsearch { rule WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ { meta: description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38" @@ -6077,6 +6369,7 @@ rule WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ { rule WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah { meta: description = "PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "fa11deaee821ca3de7ad1caafa2a585ee1bc8d82" @@ -6096,6 +6389,7 @@ rule WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah { rule WebShell_Generic_PHP_7 { meta: description = "PHP Webshells Github Archive" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "de98f890790756f226f597489844eb3e53a867a9" @@ -6113,6 +6407,7 @@ rule WebShell_Generic_PHP_7 { rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall { meta: description = "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "b148ead15d34a55771894424ace2a92983351dda" @@ -6130,6 +6425,7 @@ rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall { rule WebShell_Generic_PHP_8 { meta: description = "PHP Webshells Github Archive" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "fc1ae242b926d70e32cdb08bbe92628bc5bd7f99" @@ -6148,6 +6444,7 @@ rule WebShell_Generic_PHP_8 { rule WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php { meta: description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee" @@ -6165,6 +6462,7 @@ rule WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php { rule WebShell_Generic_PHP_9 { meta: description = "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "89f2a7007a2cd411e0a7abd2ff5218d212b84d18" @@ -6183,6 +6481,7 @@ rule WebShell_Generic_PHP_9 { rule WebShell__PH_Vayv_PHVayv_PH_Vayv { meta: description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee" @@ -6198,6 +6497,7 @@ rule WebShell__PH_Vayv_PHVayv_PH_Vayv { rule WebShell_Generic_PHP_1 { meta: description = "PHP Webshells Github Archive - from files Dive Shell 1.0" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b" @@ -6218,6 +6518,7 @@ rule WebShell_Generic_PHP_1 { rule WebShell_Generic_PHP_2 { meta: description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "335a0851304acedc3f117782b61479bbc0fd655a" @@ -6236,6 +6537,7 @@ rule WebShell_Generic_PHP_2 { rule WebShell__CrystalShell_v_1_erne_stres { meta: description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "335a0851304acedc3f117782b61479bbc0fd655a" @@ -6256,6 +6558,7 @@ rule WebShell__CrystalShell_v_1_erne_stres { rule WebShell_Generic_PHP_3 { meta: description = "PHP Webshells Github Archive" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "d829e87b3ce34460088c7775a60bded64e530cd4" @@ -6274,6 +6577,7 @@ rule WebShell_Generic_PHP_3 { rule WebShell_Generic_PHP_4 { meta: description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "335a0851304acedc3f117782b61479bbc0fd655a" @@ -6296,6 +6600,7 @@ rule WebShell_Generic_PHP_4 { rule WebShell_GFS { meta: description = "PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "c2f1ef6b11aaec255d4dd31efad18a3869a2a42c" @@ -6311,6 +6616,7 @@ rule WebShell_GFS { rule WebShell__CrystalShell_v_1_sosyete_stres { meta: description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "335a0851304acedc3f117782b61479bbc0fd655a" @@ -6330,6 +6636,7 @@ rule WebShell__CrystalShell_v_1_sosyete_stres { rule WebShell_Generic_PHP_10 { meta: description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38" @@ -6349,6 +6656,7 @@ rule WebShell_Generic_PHP_10 { rule WebShell_Generic_PHP_11 { meta: description = "PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "31a82cbee8dffaf8eb7b73841f3f3e8e9b3e78cf" @@ -6370,6 +6678,7 @@ rule WebShell_Generic_PHP_11 { rule WebShell__findsock_php_findsock_shell_php_reverse_shell { meta: description = "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "5622c9841d76617bfc3cd4cab1932d8349b7044f" @@ -6383,6 +6692,7 @@ rule WebShell__findsock_php_findsock_shell_php_reverse_shell { rule WebShell_Generic_PHP_6 { meta: description = "PHP Webshells Github Archive" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" super_rule = 1 hash0 = "1a08f5260c4a2614636dfc108091927799776b13" @@ -6404,6 +6714,7 @@ rule WebShell_Generic_PHP_6 { rule Unpack_Injectt { meta: description = "Webshells Auto-generated - file Injectt.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "8a5d2158a566c87edc999771e12d42c5" strings: @@ -6416,6 +6727,7 @@ rule Unpack_Injectt { rule HYTop_DevPack_fso { meta: description = "Webshells Auto-generated - file fso.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b37f3cde1a08890bd822a182c3a881f6" strings: @@ -6427,6 +6739,7 @@ rule HYTop_DevPack_fso { rule FeliksPack3___PHP_Shells_ssh { meta: description = "Webshells Auto-generated - file ssh.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1aa5307790d72941589079989b4f900e" strings: @@ -6437,6 +6750,7 @@ rule FeliksPack3___PHP_Shells_ssh { rule Debug_BDoor { meta: description = "Webshells Auto-generated - file BDoor.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "e4e8e31dd44beb9320922c5f49739955" strings: @@ -6448,6 +6762,7 @@ rule Debug_BDoor { rule bin_Client { meta: description = "Webshells Auto-generated - file Client.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "5f91a5b46d155cacf0cc6673a2a5461b" strings: @@ -6461,6 +6776,7 @@ rule bin_Client { rule ZXshell2_0_rar_Folder_ZXshell { meta: description = "Webshells Auto-generated - file ZXshell.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "246ce44502d2f6002d720d350e26c288" strings: @@ -6472,6 +6788,7 @@ rule ZXshell2_0_rar_Folder_ZXshell { rule RkNTLoad { meta: description = "Webshells Auto-generated - file RkNTLoad.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "262317c95ced56224f136ba532b8b34f" strings: @@ -6489,6 +6806,7 @@ rule RkNTLoad { rule binder2_binder2 { meta: description = "Webshells Auto-generated - file binder2.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d594e90ad23ae0bc0b65b59189c12f11" strings: @@ -6504,6 +6822,7 @@ rule binder2_binder2 { rule thelast_orice2 { meta: description = "Webshells Auto-generated - file orice2.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "aa63ffb27bde8d03d00dda04421237ae" strings: @@ -6515,6 +6834,7 @@ rule thelast_orice2 { rule FSO_s_sincap { meta: description = "Webshells Auto-generated - file sincap.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "dc5c2c2392b84a1529abd92e98e9aa5b" strings: @@ -6526,6 +6846,7 @@ rule FSO_s_sincap { rule PhpShell { meta: description = "Webshells Auto-generated - file PhpShell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "539baa0d39a9cf3c64d65ee7a8738620" strings: @@ -6536,6 +6857,7 @@ rule PhpShell { rule HYTop_DevPack_config { meta: description = "Webshells Auto-generated - file config.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b41d0e64e64a685178a3155195921d61" strings: @@ -6548,6 +6870,7 @@ rule HYTop_DevPack_config { rule sendmail { meta: description = "Webshells Auto-generated - file sendmail.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "75b86f4a21d8adefaf34b3a94629bd17" strings: @@ -6559,6 +6882,7 @@ rule sendmail { rule FSO_s_zehir4 { meta: description = "Webshells Auto-generated - file zehir4.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "5b496a61363d304532bcf52ee21f5d55" strings: @@ -6569,6 +6893,7 @@ rule FSO_s_zehir4 { rule hkshell_hkshell { meta: description = "Webshells Auto-generated - file hkshell.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "168cab58cee59dc4706b3be988312580" strings: @@ -6581,6 +6906,7 @@ rule hkshell_hkshell { rule iMHaPFtp { meta: description = "Webshells Auto-generated - file iMHaPFtp.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "12911b73bc6a5d313b494102abcf5c57" strings: @@ -6591,6 +6917,7 @@ rule iMHaPFtp { rule Unpack_TBack { meta: description = "Webshells Auto-generated - file TBack.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "a9d1007823bf96fb163ab38726b48464" strings: @@ -6601,6 +6928,7 @@ rule Unpack_TBack { rule DarkSpy105 { meta: description = "Webshells Auto-generated - file DarkSpy105.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "f0b85e7bec90dba829a3ede1ab7d8722" strings: @@ -6611,6 +6939,7 @@ rule DarkSpy105 { rule EditServer_EXE { meta: description = "Webshells Auto-generated - file EditServer.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "f945de25e0eba3bdaf1455b3a62b9832" strings: @@ -6623,6 +6952,7 @@ rule EditServer_EXE { rule FSO_s_reader { meta: description = "Webshells Auto-generated - file reader.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b598c8b662f2a1f6cc61f291fb0a6fa2" strings: @@ -6633,6 +6963,7 @@ rule FSO_s_reader { rule ASP_CmdAsp { meta: description = "Webshells Auto-generated - file CmdAsp.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "79d4f3425f7a89befb0ef3bafe5e332f" strings: @@ -6645,6 +6976,7 @@ rule ASP_CmdAsp { rule KA_uShell { meta: description = "Webshells Auto-generated - file KA_uShell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "685f5d4f7f6751eaefc2695071569aab" strings: @@ -6656,6 +6988,7 @@ rule KA_uShell { rule PHP_Backdoor_v1 { meta: description = "Webshells Auto-generated - file PHP Backdoor v1.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "0506ba90759d11d78befd21cabf41f3d" strings: @@ -6668,6 +7001,7 @@ rule PHP_Backdoor_v1 { rule svchostdll { meta: description = "Webshells Auto-generated - file svchostdll.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "0f6756c8cb0b454c452055f189e4c3f4" strings: @@ -6686,6 +7020,7 @@ rule svchostdll { rule HYTop_DevPack_server { meta: description = "Webshells Auto-generated - file server.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1d38526a215df13c7373da4635541b43" strings: @@ -6696,6 +7031,7 @@ rule HYTop_DevPack_server { rule vanquish { meta: description = "Webshells Auto-generated - file vanquish.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "684450adde37a93e8bb362994efc898c" strings: @@ -6708,6 +7044,7 @@ rule vanquish { rule winshell { meta: description = "Webshells Auto-generated - file winshell.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "3144410a37dd4c29d004a814a294ea26" strings: @@ -6726,6 +7063,7 @@ rule winshell { rule FSO_s_remview { meta: description = "Webshells Auto-generated - file remview.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b4a09911a5b23e00b55abe546ded691c" strings: @@ -6738,6 +7076,7 @@ rule FSO_s_remview { rule saphpshell { meta: description = "Webshells Auto-generated - file saphpshell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d7bba8def713512ddda14baf9cd6889a" strings: @@ -6748,6 +7087,7 @@ rule saphpshell { rule HYTop2006_rar_Folder_2006Z { meta: description = "Webshells Auto-generated - file 2006Z.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "fd1b6129abd4ab177fed135e3b665488" strings: @@ -6759,6 +7099,7 @@ rule HYTop2006_rar_Folder_2006Z { rule admin_ad { meta: description = "Webshells Auto-generated - file admin-ad.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "e6819b8f8ff2f1073f7d46a0b192f43b" strings: @@ -6770,6 +7111,7 @@ rule admin_ad { rule FSO_s_casus15 { meta: description = "Webshells Auto-generated - file casus15.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "8d155b4239d922367af5d0a1b89533a3" strings: @@ -6780,6 +7122,7 @@ rule FSO_s_casus15 { rule BIN_Client { meta: description = "Webshells Auto-generated - file Client.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "9f0a74ec81bc2f26f16c5c172b80eca7" strings: @@ -6795,6 +7138,7 @@ rule BIN_Client { rule shelltools_g0t_root_uptime { meta: description = "Webshells Auto-generated - file uptime.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d1f56102bc5d3e2e37ab3ffa392073b9" strings: @@ -6809,6 +7153,7 @@ rule shelltools_g0t_root_uptime { rule Simple_PHP_BackDooR { meta: description = "Webshells Auto-generated - file Simple_PHP_BackDooR.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "a401132363eecc3a1040774bec9cb24f" strings: @@ -6821,6 +7166,7 @@ rule Simple_PHP_BackDooR { rule sig_2005Gray { meta: description = "Webshells Auto-generated - file 2005Gray.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "75dbe3d3b70a5678225d3e2d78b604cc" strings: @@ -6834,6 +7180,7 @@ rule sig_2005Gray { rule DllInjection { meta: description = "Webshells Auto-generated - file DllInjection.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "a7b92283a5102886ab8aee2bc5c8d718" strings: @@ -6844,6 +7191,7 @@ rule DllInjection { rule Mithril_v1_45_Mithril { meta: description = "Webshells Auto-generated - file Mithril.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "f1484f882dc381dde6eaa0b80ef64a07" strings: @@ -6855,6 +7203,7 @@ rule Mithril_v1_45_Mithril { rule hkshell_hkrmv { meta: description = "Webshells Auto-generated - file hkrmv.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "bd3a0b7a6b5536f8d96f50956560e9bf" strings: @@ -6866,6 +7215,7 @@ rule hkshell_hkrmv { rule phpshell { meta: description = "Webshells Auto-generated - file phpshell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1dccb1ea9f24ffbd085571c88585517b" strings: @@ -6878,6 +7228,7 @@ rule phpshell { rule FSO_s_cmd { meta: description = "Webshells Auto-generated - file cmd.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "cbe8e365d41dd3cd8e462ca434cf385f" strings: @@ -6889,6 +7240,7 @@ rule FSO_s_cmd { rule FeliksPack3___PHP_Shells_phpft { meta: description = "Webshells Auto-generated - file phpft.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "60ef80175fcc6a879ca57c54226646b1" strings: @@ -6900,6 +7252,7 @@ rule FeliksPack3___PHP_Shells_phpft { rule FSO_s_indexer { meta: description = "Webshells Auto-generated - file indexer.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "135fc50f85228691b401848caef3be9e" strings: @@ -6910,6 +7263,7 @@ rule FSO_s_indexer { rule r57shell { meta: description = "Webshells Auto-generated - file r57shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "8023394542cddf8aee5dec6072ed02b5" strings: @@ -6920,6 +7274,7 @@ rule r57shell { rule bdcli100 { meta: description = "Webshells Auto-generated - file bdcli100.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b12163ac53789fb4f62e4f17a8c2e028" strings: @@ -6931,6 +7286,7 @@ rule bdcli100 { rule HYTop_DevPack_2005Red { meta: description = "Webshells Auto-generated - file 2005Red.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d8ccda2214b3f6eabd4502a050eb8fe8" strings: @@ -6943,6 +7299,7 @@ rule HYTop_DevPack_2005Red { rule HYTop2006_rar_Folder_2006X2 { meta: description = "Webshells Auto-generated - file 2006X2.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "cc5bf9fc56d404ebbc492855393d7620" strings: @@ -6954,6 +7311,7 @@ rule HYTop2006_rar_Folder_2006X2 { rule rdrbs084 { meta: description = "Webshells Auto-generated - file rdrbs084.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "ed30327b255816bdd7590bf891aa0020" strings: @@ -6965,6 +7323,7 @@ rule rdrbs084 { rule HYTop_CaseSwitch_2005 { meta: description = "Webshells Auto-generated - file 2005.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "8bf667ee9e21366bc0bd3491cb614f41" strings: @@ -6982,6 +7341,7 @@ rule HYTop_CaseSwitch_2005 { rule eBayId_index3 { meta: description = "Webshells Auto-generated - file index3.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "0412b1e37f41ea0d002e4ed11608905f" strings: @@ -6992,6 +7352,7 @@ rule eBayId_index3 { rule FSO_s_phvayv { meta: description = "Webshells Auto-generated - file phvayv.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "205ecda66c443083403efb1e5c7f7878" strings: @@ -7002,6 +7363,7 @@ rule FSO_s_phvayv { rule byshell063_ntboot { meta: description = "Webshells Auto-generated - file ntboot.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "99b5f49db6d6d9a9faeffb29fd8e6d8c" strings: @@ -7015,6 +7377,7 @@ rule byshell063_ntboot { rule FSO_s_casus15_2 { meta: description = "Webshells Auto-generated - file casus15.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "8d155b4239d922367af5d0a1b89533a3" strings: @@ -7025,6 +7388,7 @@ rule FSO_s_casus15_2 { rule installer { meta: description = "Webshells Auto-generated - file installer.cmd" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "a507919ae701cf7e42fa441d3ad95f8f" strings: @@ -7036,6 +7400,7 @@ rule installer { rule uploader { meta: description = "Webshells Auto-generated - file uploader.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b9a9aab319964351b46bd5fc9d6246a8" strings: @@ -7046,6 +7411,7 @@ rule uploader { rule FSO_s_remview_2 { meta: description = "Webshells Auto-generated - file remview.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b4a09911a5b23e00b55abe546ded691c" strings: @@ -7057,6 +7423,7 @@ rule FSO_s_remview_2 { rule FeliksPack3___PHP_Shells_r57 { meta: description = "Webshells Auto-generated - file r57.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "903908b77a266b855262cdbce81c3f72" strings: @@ -7067,6 +7434,7 @@ rule FeliksPack3___PHP_Shells_r57 { rule HYTop2006_rar_Folder_2006X { meta: description = "Webshells Auto-generated - file 2006X.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "cf3ee0d869dd36e775dfcaa788db8e4b" strings: @@ -7078,6 +7446,7 @@ rule HYTop2006_rar_Folder_2006X { rule FSO_s_phvayv_2 { meta: description = "Webshells Auto-generated - file phvayv.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "205ecda66c443083403efb1e5c7f7878" strings: @@ -7088,6 +7457,7 @@ rule FSO_s_phvayv_2 { rule elmaliseker { meta: description = "Webshells Auto-generated - file elmaliseker.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "ccf48af0c8c09bbd038e610a49c9862e" strings: @@ -7099,6 +7469,7 @@ rule elmaliseker { rule shelltools_g0t_root_resolve { meta: description = "Webshells Auto-generated - file resolve.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "69bf9aa296238610a0e05f99b5540297" strings: @@ -7115,6 +7486,7 @@ rule shelltools_g0t_root_resolve { rule FSO_s_RemExp { meta: description = "Webshells Auto-generated - file RemExp.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b69670ecdbb40012c73686cd22696eeb" strings: @@ -7127,6 +7499,7 @@ rule FSO_s_RemExp { rule FSO_s_tool { meta: description = "Webshells Auto-generated - file tool.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "3a1e1e889fdd974a130a6a767b42655b" strings: @@ -7137,6 +7510,7 @@ rule FSO_s_tool { rule FeliksPack3___PHP_Shells_2005 { meta: description = "Webshells Auto-generated - file 2005.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "97f2552c2fafc0b2eb467ee29cc803c8" strings: @@ -7148,6 +7522,7 @@ rule FeliksPack3___PHP_Shells_2005 { rule byloader { meta: description = "Webshells Auto-generated - file byloader.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "0f0d6dc26055653f5844ded906ce52df" strings: @@ -7162,6 +7537,7 @@ rule byloader { rule shelltools_g0t_root_Fport { meta: description = "Webshells Auto-generated - file Fport.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "dbb75488aa2fa22ba6950aead1ef30d5" strings: @@ -7173,6 +7549,7 @@ rule shelltools_g0t_root_Fport { rule BackDooR__fr_ { meta: description = "Webshells Auto-generated - file BackDooR (fr).php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "a79cac2cf86e073a832aaf29a664f4be" strings: @@ -7183,6 +7560,7 @@ rule BackDooR__fr_ { rule FSO_s_ntdaddy { meta: description = "Webshells Auto-generated - file ntdaddy.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "f6262f3ad9f73b8d3e7d9ea5ec07a357" strings: @@ -7193,6 +7571,7 @@ rule FSO_s_ntdaddy { rule nstview_nstview { meta: description = "Webshells Auto-generated - file nstview.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "3871888a0c1ac4270104918231029a56" strings: @@ -7203,6 +7582,7 @@ rule nstview_nstview { rule HYTop_DevPack_upload { meta: description = "Webshells Auto-generated - file upload.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b09852bda534627949f0259828c967de" strings: @@ -7213,6 +7593,7 @@ rule HYTop_DevPack_upload { rule PasswordReminder { meta: description = "Webshells Auto-generated - file PasswordReminder.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "ea49d754dc609e8bfa4c0f95d14ef9bf" strings: @@ -7223,6 +7604,7 @@ rule PasswordReminder { rule Pack_InjectT { meta: description = "Webshells Auto-generated - file InjectT.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "983b74ccd57f6195a0584cdfb27d55e8" strings: @@ -7237,6 +7619,7 @@ rule Pack_InjectT { rule FSO_s_RemExp_2 { meta: description = "Webshells Auto-generated - file RemExp.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b69670ecdbb40012c73686cd22696eeb" strings: @@ -7248,6 +7631,7 @@ rule FSO_s_RemExp_2 { rule FSO_s_c99 { meta: description = "Webshells Auto-generated - file c99.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "5f9ba02eb081bba2b2434c603af454d0" strings: @@ -7258,6 +7642,7 @@ rule FSO_s_c99 { rule rknt_zip_Folder_RkNT { meta: description = "Webshells Auto-generated - file RkNT.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "5f97386dfde148942b7584aeb6512b85" strings: @@ -7274,6 +7659,7 @@ rule rknt_zip_Folder_RkNT { rule dbgntboot { meta: description = "Webshells Auto-generated - file dbgntboot.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "4d87543d4d7f73c1529c9f8066b475ab" strings: @@ -7285,6 +7671,7 @@ rule dbgntboot { rule PHP_shell { meta: description = "Webshells Auto-generated - file shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "45e8a00567f8a34ab1cccc86b4bc74b9" strings: @@ -7296,6 +7683,7 @@ rule PHP_shell { rule hxdef100 { meta: description = "Webshells Auto-generated - file hxdef100.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "55cc1769cef44910bd91b7b73dee1f6c" strings: @@ -7308,6 +7696,7 @@ rule hxdef100 { rule rdrbs100 { meta: description = "Webshells Auto-generated - file rdrbs100.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "7c752bcd6da796d80a6830c61a632bff" strings: @@ -7319,6 +7708,7 @@ rule rdrbs100 { rule Mithril_Mithril { meta: description = "Webshells Auto-generated - file Mithril.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "017191562d72ab0ca551eb89256650bd" strings: @@ -7336,6 +7726,7 @@ rule Mithril_Mithril { rule hxdef100_2 { meta: description = "Webshells Auto-generated - file hxdef100.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1b393e2e13b9c57fb501b7cd7ad96b25" strings: @@ -7348,6 +7739,7 @@ rule hxdef100_2 { rule Release_dllTest { meta: description = "Webshells Auto-generated - file dllTest.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "76a59fc3242a2819307bb9d593bef2e0" strings: @@ -7367,6 +7759,7 @@ rule Release_dllTest { rule webadmin { meta: description = "Webshells Auto-generated - file webadmin.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "3a90de401b30e5b590362ba2dde30937" strings: @@ -7377,6 +7770,7 @@ rule webadmin { rule commands { meta: description = "Webshells Auto-generated - file commands.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "174486fe844cb388e2ae3494ac2d1ec2" strings: @@ -7388,6 +7782,7 @@ rule commands { rule hkdoordll { meta: description = "Webshells Auto-generated - file hkdoordll.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b715c009d47686c0e62d0981efce2552" strings: @@ -7398,6 +7793,7 @@ rule hkdoordll { rule r57shell_2 { meta: description = "Webshells Auto-generated - file r57shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "8023394542cddf8aee5dec6072ed02b5" strings: @@ -7408,6 +7804,7 @@ rule r57shell_2 { rule Mithril_v1_45_dllTest { meta: description = "Webshells Auto-generated - file dllTest.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1b9e518aaa62b15079ff6edb412b21e9" strings: @@ -7420,6 +7817,7 @@ rule Mithril_v1_45_dllTest { rule dbgiis6cli { meta: description = "Webshells Auto-generated - file dbgiis6cli.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "3044dceb632b636563f66fee3aaaf8f3" strings: @@ -7431,6 +7829,7 @@ rule dbgiis6cli { rule remview_2003_04_22 { meta: description = "Webshells Auto-generated - file remview_2003_04_22.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "17d3e4e39fbca857344a7650f7ea55e3" strings: @@ -7441,6 +7840,7 @@ rule remview_2003_04_22 { rule FSO_s_test { meta: description = "Webshells Auto-generated - file test.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "82cf7b48da8286e644f575b039a99c26" strings: @@ -7452,6 +7852,7 @@ rule FSO_s_test { rule Debug_cress { meta: description = "Webshells Auto-generated - file cress.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "36a416186fe010574c9be68002a7286a" strings: @@ -7463,6 +7864,7 @@ rule Debug_cress { rule webshell { meta: description = "Webshells Auto-generated - file webshell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "f2f8c02921f29368234bfb4d4622ad19" strings: @@ -7477,6 +7879,7 @@ rule webshell { rule FSO_s_EFSO_2 { meta: description = "Webshells Auto-generated - file EFSO_2.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "a341270f9ebd01320a7490c12cb2e64c" strings: @@ -7488,6 +7891,7 @@ rule FSO_s_EFSO_2 { rule thelast_index3 { meta: description = "Webshells Auto-generated - file index3.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "cceff6dc247aaa25512bad22120a14b4" strings: @@ -7498,6 +7902,7 @@ rule thelast_index3 { rule adjustcr { meta: description = "Webshells Auto-generated - file adjustcr.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "17037fa684ef4c90a25ec5674dac2eb6" strings: @@ -7511,6 +7916,7 @@ rule adjustcr { rule FeliksPack3___PHP_Shells_xIShell { meta: description = "Webshells Auto-generated - file xIShell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "997c8437c0621b4b753a546a53a88674" strings: @@ -7521,6 +7927,7 @@ rule FeliksPack3___PHP_Shells_xIShell { rule HYTop_AppPack_2005 { meta: description = "Webshells Auto-generated - file 2005.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "63d9fd24fa4d22a41fc5522fc7050f9f" strings: @@ -7531,6 +7938,7 @@ rule HYTop_AppPack_2005 { rule xssshell { meta: description = "Webshells Auto-generated - file xssshell.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "8fc0ffc5e5fbe85f7706ffc45b3f79b4" strings: @@ -7541,6 +7949,7 @@ rule xssshell { rule FeliksPack3___PHP_Shells_usr { meta: description = "Webshells Auto-generated - file usr.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "ade3357520325af50c9098dc8a21a024" strings: @@ -7551,6 +7960,7 @@ rule FeliksPack3___PHP_Shells_usr { rule FSO_s_phpinj { meta: description = "Webshells Auto-generated - file phpinj.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "dd39d17e9baca0363cc1c3664e608929" strings: @@ -7561,6 +7971,7 @@ rule FSO_s_phpinj { rule xssshell_db { meta: description = "Webshells Auto-generated - file db.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "cb62e2ec40addd4b9930a9e270f5b318" strings: @@ -7571,6 +7982,7 @@ rule xssshell_db { rule PHP_sh { meta: description = "Webshells Auto-generated - file sh.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1e9e879d49eb0634871e9b36f99fe528" strings: @@ -7581,6 +7993,7 @@ rule PHP_sh { rule xssshell_default { meta: description = "Webshells Auto-generated - file default.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d156782ae5e0b3724de3227b42fcaf2f" strings: @@ -7591,6 +8004,7 @@ rule xssshell_default { rule EditServer_2 { meta: description = "Webshells Auto-generated - file EditServer.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "5c1f25a4d206c83cdfb006b3eb4c09ba" strings: @@ -7603,6 +8017,7 @@ rule EditServer_2 { rule by064cli { meta: description = "Webshells Auto-generated - file by064cli.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "10e0dff366968b770ae929505d2a9885" strings: @@ -7614,6 +8029,7 @@ rule by064cli { rule Mithril_dllTest { meta: description = "Webshells Auto-generated - file dllTest.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "a8d25d794d8f08cd4de0c3d6bf389e6d" strings: @@ -7625,6 +8041,7 @@ rule Mithril_dllTest { rule peek_a_boo { meta: description = "Webshells Auto-generated - file peek-a-boo.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "aca339f60d41fdcba83773be5d646776" strings: @@ -7640,6 +8057,7 @@ rule peek_a_boo { rule fmlibraryv3 { meta: description = "Webshells Auto-generated - file fmlibraryv3.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "c34c248fed6d5a20d8203924a2088acc" strings: @@ -7650,6 +8068,7 @@ rule fmlibraryv3 { rule Debug_dllTest_2 { meta: description = "Webshells Auto-generated - file dllTest.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1b9e518aaa62b15079ff6edb412b21e9" strings: @@ -7661,6 +8080,7 @@ rule Debug_dllTest_2 { rule connector { meta: description = "Webshells Auto-generated - file connector.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "3ba1827fca7be37c8296cd60be9dc884" strings: @@ -7672,6 +8092,7 @@ rule connector { rule shelltools_g0t_root_HideRun { meta: description = "Webshells Auto-generated - file HideRun.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "45436d9bfd8ff94b71eeaeb280025afe" strings: @@ -7683,6 +8104,7 @@ rule shelltools_g0t_root_HideRun { rule PHP_Shell_v1_7 { meta: description = "Webshells Auto-generated - file PHP_Shell_v1.7.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b5978501c7112584532b4ca6fb77cba5" strings: @@ -7693,6 +8115,7 @@ rule PHP_Shell_v1_7 { rule xssshell_save { meta: description = "Webshells Auto-generated - file save.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "865da1b3974e940936fe38e8e1964980" strings: @@ -7704,6 +8127,7 @@ rule xssshell_save { rule screencap { meta: description = "Webshells Auto-generated - file screencap.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "51139091dea7a9418a50f2712ea72aa6" strings: @@ -7716,6 +8140,7 @@ rule screencap { rule FSO_s_phpinj_2 { meta: description = "Webshells Auto-generated - file phpinj.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "dd39d17e9baca0363cc1c3664e608929" strings: @@ -7726,6 +8151,7 @@ rule FSO_s_phpinj_2 { rule ZXshell2_0_rar_Folder_zxrecv { meta: description = "Webshells Auto-generated - file zxrecv.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "5d3d12a39f41d51341ef4cb7ce69d30f" strings: @@ -7742,6 +8168,7 @@ rule ZXshell2_0_rar_Folder_zxrecv { rule FSO_s_ajan { meta: description = "Webshells Auto-generated - file ajan.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "22194f8c44524f80254e1b5aec67b03e" strings: @@ -7752,6 +8179,7 @@ rule FSO_s_ajan { rule c99shell { meta: description = "Webshells Auto-generated - file c99shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "90b86a9c63e2cd346fe07cea23fbfc56" strings: @@ -7762,6 +8190,7 @@ rule c99shell { rule phpspy_2005_full { meta: description = "Webshells Auto-generated - file phpspy_2005_full.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "d1c69bb152645438440e6c903bac16b2" strings: @@ -7772,6 +8201,7 @@ rule phpspy_2005_full { rule FSO_s_zehir4_2 { meta: description = "Webshells Auto-generated - file zehir4.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "5b496a61363d304532bcf52ee21f5d55" strings: @@ -7782,6 +8212,7 @@ rule FSO_s_zehir4_2 { rule FSO_s_indexer_2 { meta: description = "Webshells Auto-generated - file indexer.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "135fc50f85228691b401848caef3be9e" strings: @@ -7792,6 +8223,7 @@ rule FSO_s_indexer_2 { rule HYTop_DevPack_2005 { meta: description = "Webshells Auto-generated - file 2005.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "63d9fd24fa4d22a41fc5522fc7050f9f" strings: @@ -7804,6 +8236,7 @@ rule HYTop_DevPack_2005 { rule _root_040_zip_Folder_deploy { meta: description = "Webshells Auto-generated - file deploy.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "2c9f9c58999256c73a5ebdb10a9be269" strings: @@ -7816,6 +8249,7 @@ rule _root_040_zip_Folder_deploy { rule by063cli { meta: description = "Webshells Auto-generated - file by063cli.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "49ce26eb97fd13b6d92a5e5d169db859" strings: @@ -7827,6 +8261,7 @@ rule by063cli { rule icyfox007v1_10_rar_Folder_asp { meta: description = "Webshells Auto-generated - file asp.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "2c412400b146b7b98d6e7755f7159bb9" strings: @@ -7837,6 +8272,7 @@ rule icyfox007v1_10_rar_Folder_asp { rule FSO_s_EFSO_2_2 { meta: description = "Webshells Auto-generated - file EFSO_2.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "a341270f9ebd01320a7490c12cb2e64c" strings: @@ -7848,6 +8284,7 @@ rule FSO_s_EFSO_2_2 { rule byshell063_ntboot_2 { meta: description = "Webshells Auto-generated - file ntboot.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d" strings: @@ -7858,6 +8295,7 @@ rule byshell063_ntboot_2 { rule u_uay { meta: description = "Webshells Auto-generated - file uay.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4" strings: @@ -7869,6 +8307,7 @@ rule u_uay { rule bin_wuaus { meta: description = "Webshells Auto-generated - file wuaus.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "46a365992bec7377b48a2263c49e4e7d" strings: @@ -7884,6 +8323,7 @@ rule bin_wuaus { rule pwreveal { meta: description = "Webshells Auto-generated - file pwreveal.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "b4e8447826a45b76ca45ba151a97ad50" strings: @@ -7897,6 +8337,7 @@ rule pwreveal { rule shelltools_g0t_root_xwhois { meta: description = "Webshells Auto-generated - file xwhois.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "0bc98bd576c80d921a3460f8be8816b4" strings: @@ -7910,6 +8351,7 @@ rule shelltools_g0t_root_xwhois { rule vanquish_2 { meta: description = "Webshells Auto-generated - file vanquish.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "2dcb9055785a2ee01567f52b5a62b071" strings: @@ -7920,6 +8362,7 @@ rule vanquish_2 { rule down_rar_Folder_down { meta: description = "Webshells Auto-generated - file down.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "db47d7a12b3584a2e340567178886e71" strings: @@ -7930,6 +8373,7 @@ rule down_rar_Folder_down { rule cmdShell { meta: description = "Webshells Auto-generated - file cmdShell.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "8a9fef43209b5d2d4b81dfbb45182036" strings: @@ -7940,6 +8384,7 @@ rule cmdShell { rule ZXshell2_0_rar_Folder_nc { meta: description = "Webshells Auto-generated - file nc.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "2cd1bf15ae84c5f6917ddb128827ae8b" strings: @@ -7953,6 +8398,7 @@ rule ZXshell2_0_rar_Folder_nc { rule portlessinst { meta: description = "Webshells Auto-generated - file portlessinst.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "74213856fc61475443a91cd84e2a6c2f" strings: @@ -7965,6 +8411,7 @@ rule portlessinst { rule SetupBDoor { meta: description = "Webshells Auto-generated - file SetupBDoor.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "41f89e20398368e742eda4a3b45716b6" strings: @@ -7975,6 +8422,7 @@ rule SetupBDoor { rule phpshell_3 { meta: description = "Webshells Auto-generated - file phpshell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "e8693a2d4a2ffea4df03bb678df3dc6d" strings: @@ -7986,6 +8434,7 @@ rule phpshell_3 { rule BIN_Server { meta: description = "Webshells Auto-generated - file Server.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "1d5aa9cbf1429bb5b8bf600335916dcd" strings: @@ -8001,6 +8450,7 @@ rule BIN_Server { rule HYTop2006_rar_Folder_2006 { meta: description = "Webshells Auto-generated - file 2006.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "c19d6f4e069188f19b08fa94d44bc283" strings: @@ -8011,6 +8461,7 @@ rule HYTop2006_rar_Folder_2006 { rule r57shell_3 { meta: description = "Webshells Auto-generated - file r57shell.php" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "87995a49f275b6b75abe2521e03ac2c0" strings: @@ -8021,6 +8472,7 @@ rule r57shell_3 { rule HDConfig { meta: description = "Webshells Auto-generated - file HDConfig.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "7d60e552fdca57642fd30462416347bd" strings: @@ -8035,6 +8487,7 @@ rule HDConfig { rule FSO_s_ajan_2 { meta: description = "Webshells Auto-generated - file ajan.asp" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "22194f8c44524f80254e1b5aec67b03e" strings: @@ -8047,6 +8500,7 @@ rule FSO_s_ajan_2 { rule Webshell_and_Exploit_CN_APT_HK : Webshell { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters" date = "10.10.2014" @@ -8107,6 +8561,7 @@ rule JSP_jfigueiredo_APT_webshell_2 { rule Webshell_Insomnia { meta: description = "Insomnia Webshell - file InsomniaShell.aspx" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/" date = "2014/12/09" @@ -8128,6 +8583,7 @@ rule Webshell_Insomnia { rule HawkEye_PHP_Panel { meta: description = "Detects HawkEye Keyloggers PHP Panel" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/12/14" score = 60 @@ -8144,6 +8600,7 @@ rule SoakSoak_Infected_Wordpress { meta: description = "Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX" reference = "http://goo.gl/1GzWUX" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2014/12/15" score = 60 @@ -8158,6 +8615,7 @@ rule SoakSoak_Infected_Wordpress { rule Pastebin_Webshell { meta: description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 70 date = "13.01.2015" @@ -8180,6 +8638,7 @@ rule Pastebin_Webshell { rule ASPXspy2 { meta: description = "Web shell - file ASPXspy2.aspx" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/01/24" @@ -8215,6 +8674,7 @@ rule ASPXspy2 { rule Webshell_27_9_c66_c99 { meta: description = "Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ..." + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" @@ -8240,6 +8700,7 @@ rule Webshell_27_9_c66_c99 { rule Webshell_acid_AntiSecShell_3 { meta: description = "Detects Webshell Acid" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" @@ -8272,6 +8733,7 @@ rule Webshell_acid_AntiSecShell_3 { rule Webshell_c99_4 { meta: description = "Detects C99 Webshell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" @@ -8303,6 +8765,7 @@ rule Webshell_c99_4 { rule Webshell_r57shell_2 { meta: description = "Detects Webshell R57" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" @@ -8330,6 +8793,7 @@ rule Webshell_r57shell_2 { rule Webshell_27_9_acid_c99_locus7s { meta: description = "Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" @@ -8352,6 +8816,7 @@ rule Webshell_27_9_acid_c99_locus7s { rule Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 { meta: description = "Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ..." + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" @@ -8377,6 +8842,7 @@ rule Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 { rule Webshell_c100 { meta: description = "Detects Webshell - rule generated from from files c100 v. 777shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" @@ -8401,6 +8867,7 @@ rule Webshell_c100 { rule Webshell_AcidPoison { meta: description = "Detects Poison Sh3ll - Webshell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" @@ -8424,6 +8891,7 @@ rule Webshell_AcidPoison { rule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 { meta: description = "Detects Webshell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" @@ -8443,6 +8911,7 @@ rule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 { rule Webshell_Ayyildiz { meta: description = "Detects Webshell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" @@ -8462,6 +8931,7 @@ rule Webshell_Ayyildiz { rule Webshell_zehir { meta: description = "Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" @@ -8490,6 +8960,7 @@ rule Webshell_zehir { rule UploadShell_98038f1efa4203432349badabad76d44337319a6 { meta: description = "Detects a web shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" @@ -8505,6 +8976,7 @@ rule UploadShell_98038f1efa4203432349badabad76d44337319a6 { rule DKShell_f0772be3c95802a2d1e7a4a3f5a45dcdef6997f3 { meta: description = "Detects a web shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" @@ -8519,6 +8991,7 @@ rule DKShell_f0772be3c95802a2d1e7a4a3f5a45dcdef6997f3 { rule Unknown_8af033424f9590a15472a23cc3236e68070b952e { meta: description = "Detects a web shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" @@ -8534,6 +9007,7 @@ rule Unknown_8af033424f9590a15472a23cc3236e68070b952e { rule DkShell_4000bd83451f0d8501a9dfad60dce39e55ae167d { meta: description = "Detects a web shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" @@ -8552,6 +9026,7 @@ rule DkShell_4000bd83451f0d8501a9dfad60dce39e55ae167d { rule WebShell_5786d7d9f4b0df731d79ed927fb5a124195fc901 { meta: description = "Detects a web shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" @@ -8566,6 +9041,7 @@ rule WebShell_5786d7d9f4b0df731d79ed927fb5a124195fc901 { rule webshell_e8eaf8da94012e866e51547cd63bb996379690bf { meta: description = "Detects a web shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" @@ -8581,6 +9057,7 @@ rule webshell_e8eaf8da94012e866e51547cd63bb996379690bf { rule Unknown_0f06c5d1b32f4994c3b3abf8bb76d5468f105167 { meta: description = "Detects a web shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" @@ -8596,6 +9073,7 @@ rule Unknown_0f06c5d1b32f4994c3b3abf8bb76d5468f105167 { rule WSOShell_0bbebaf46f87718caba581163d4beed56ddf73a7 { meta: description = "Detects a web shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" @@ -8610,6 +9088,7 @@ rule WSOShell_0bbebaf46f87718caba581163d4beed56ddf73a7 { rule WebShell_Generic_1609_A { meta: description = "Auto-generated rule" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" @@ -8625,6 +9104,7 @@ rule WebShell_Generic_1609_A { rule Nishang_Webshell { meta: description = "Detects a ASPX web shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/samratashok/nishang" date = "2016-09-11" @@ -8650,6 +9130,7 @@ rule Nishang_Webshell { rule PHP_Webshell_1_Feb17 { meta: description = "Detects a simple cloaked PHP web shell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://isc.sans.edu/diary/Analysis+of+a+Simple+PHP+Backdoor/22127" date = "2017-02-28" @@ -8671,6 +9152,7 @@ rule PHP_Webshell_1_Feb17 { rule Webshell_Tiny_JSP_2 { meta: description = "Detects a tiny webshell - chine chopper" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" date = "2015-12-05" score = 100 @@ -8693,6 +9175,7 @@ rule Webshell_Tiny_JSP_2 { rule Wordpress_Config_Webshell_Preprend { meta: description = "Webshell that uses standard Wordpress wp-config.php file and appends the malicious code in front of it" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research" date = "2017-06-25" @@ -8724,6 +9207,7 @@ rule Wordpress_Config_Webshell_Preprend { rule PAS_Webshell_Encoded { meta: description = "Detects a PAS webshell" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html" date = "2017-07-11" @@ -8769,6 +9253,7 @@ rule PAS_Webshell_Encoded { rule ALFA_SHELL { meta: description = "Detects web shell often used by Iranian APT groups" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - APT33" date = "2017-09-21" @@ -8787,6 +9272,7 @@ rule ALFA_SHELL { rule Webshell_FOPO_Obfuscation_APT_ON_Nov17_1 { meta: description = "Detects malware from NK APT incident DE" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "Internal Research - ON" date = "2017-11-17" diff --git a/yara/thor_inverse_matches.yar b/yara/thor_inverse_matches.yar index 0f12928..0a77845 100644 --- a/yara/thor_inverse_matches.yar +++ b/yara/thor_inverse_matches.yar @@ -28,6 +28,7 @@ condition: rule iexplore_ANOMALY { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Abnormal iexplore.exe - typical strings not found in file" date = "23/04/2014" @@ -45,6 +46,7 @@ rule iexplore_ANOMALY { rule svchost_ANOMALY { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Abnormal svchost.exe - typical strings not found in file" date = "23/04/2014" @@ -63,6 +65,7 @@ rule svchost_ANOMALY { rule explorer_ANOMALY { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Abnormal explorer.exe - typical strings not found in file" date = "27/05/2014" @@ -94,6 +97,7 @@ rule sethc_ANOMALY { rule Utilman_ANOMALY { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Abnormal utilman.exe - typical strings not found in file" date = "01/06/2014" @@ -108,6 +112,7 @@ rule Utilman_ANOMALY { rule osk_ANOMALY { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Abnormal osk.exe (On Screen Keyboard) - typical strings not found in file" date = "01/06/2014" @@ -123,6 +128,7 @@ rule osk_ANOMALY { rule magnify_ANOMALY { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Abnormal magnify.exe (Magnifier) - typical strings not found in file" date = "01/06/2014" @@ -137,6 +143,7 @@ rule magnify_ANOMALY { rule narrator_ANOMALY { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Abnormal narrator.exe - typical strings not found in file" date = "01/06/2014" @@ -153,6 +160,7 @@ rule narrator_ANOMALY { rule notepad_ANOMALY { meta: + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" description = "Abnormal notepad.exe - typical strings not found in file" date = "01/06/2014" @@ -172,6 +180,7 @@ rule notepad_ANOMALY { rule csrss_ANOMALY { meta: description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/03/16" @@ -188,6 +197,7 @@ rule csrss_ANOMALY { rule conhost_ANOMALY { meta: description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/03/16" @@ -201,6 +211,7 @@ rule conhost_ANOMALY { rule wininit_ANOMALY { meta: description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/03/16" @@ -214,6 +225,7 @@ rule wininit_ANOMALY { rule winlogon_ANOMALY { meta: description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file winlogon.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/03/16" @@ -230,6 +242,7 @@ rule winlogon_ANOMALY { rule SndVol_ANOMALY { meta: description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/03/16" @@ -243,6 +256,7 @@ rule SndVol_ANOMALY { rule doskey_ANOMALY { meta: description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file doskey.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/03/16" @@ -256,6 +270,7 @@ rule doskey_ANOMALY { rule lsass_ANOMALY { meta: description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file lsass.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/03/16" @@ -272,6 +287,7 @@ rule lsass_ANOMALY { rule taskmgr_ANOMALY { meta: description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "not set" date = "2015/03/16" @@ -295,6 +311,7 @@ rule APT_Cloaked_PsExec meta: description = "Looks like a cloaked PsExec. May be APT group activity." date = "2014-07-18" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 60 strings: @@ -313,6 +330,7 @@ rule APT_Cloaked_SuperScan meta: description = "Looks like a cloaked SuperScan Port Scanner. May be APT group activity." date = "2014-07-18" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 50 strings: @@ -328,6 +346,7 @@ rule APT_Cloaked_ScanLine meta: description = "Looks like a cloaked ScanLine Port Scanner. May be APT group activity." date = "2014-07-18" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 50 strings: @@ -343,6 +362,7 @@ rule SAM_Hive_Backup { meta: description = "Detects a SAM hive backup file" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump" score = 60 diff --git a/yara/yara_mixed_ext_vars.yar b/yara/yara_mixed_ext_vars.yar index feb373e..fff975f 100644 --- a/yara/yara_mixed_ext_vars.yar +++ b/yara/yara_mixed_ext_vars.yar @@ -8,6 +8,7 @@ rule Acrotray_Anomaly { meta: description = "Detects an acrotray.exe that does not contain the usual strings" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" score = 75 strings: @@ -24,6 +25,7 @@ rule Acrotray_Anomaly { rule COZY_FANCY_BEAR_modified_VmUpgradeHelper { meta: description = "Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" date = "2016-06-14" @@ -56,6 +58,7 @@ rule IronTiger_Gh0stRAT_variant rule OpCloudHopper_Cloaked_PSCP { meta: description = "Tool used in Operation Cloud Hopper - pscp.exe cloaked as rundll32.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" date = "2017-04-07" @@ -70,6 +73,7 @@ rule OpCloudHopper_Cloaked_PSCP { rule msi_dll_Anomaly { meta: description = "Detetcs very small and supicious msi.dll" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" date = "2017-02-10" @@ -83,7 +87,8 @@ rule msi_dll_Anomaly { rule PoS_Malware_MalumPOS_Config { meta: - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" date = "2015-06-25" description = "MalumPOS Config File" reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/" @@ -99,6 +104,7 @@ rule PoS_Malware_MalumPOS_Config rule Malware_QA_update_test { meta: description = "VT Research QA uploaded malware - file update_.exe" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "VT Research QA" date = "2016-08-29" @@ -118,6 +124,7 @@ rule Malware_QA_update_test { rule SysInterals_PipeList_NameChanged { meta: description = "Detects NirSoft PipeList" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "https://goo.gl/Mr6M2J" date = "2016-06-04" @@ -144,6 +151,7 @@ rule SysInterals_PipeList_NameChanged { rule SCT_Scriptlet_in_Temp_Inet_Files { meta: description = "Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass)" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" reference = "http://goo.gl/KAB8Jw" date = "2016-04-26" @@ -160,6 +168,7 @@ rule SCT_Scriptlet_in_Temp_Inet_Files { rule GIFCloaked_Webshell_A { meta: description = "Looks like a webshell cloaked as GIF" + license = "https://creativecommons.org/licenses/by-nc/4.0/" author = "Florian Roth" hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24" score = 60 @@ -247,7 +256,8 @@ rule Exe_Cloaked_as_ThumbsDb meta: description = "Detects an executable cloaked as thumbs.db - Malware" date = "2014-07-18" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 50 condition: uint16(0) == 0x5a4d and filename matches /[Tt]humbs\.db/ @@ -258,7 +268,8 @@ rule Fake_AdobeReader_EXE meta: description = "Detects an fake AdobeReader executable based on filesize OR missing strings in file" date = "2014-09-11" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 50 strings: $s1 = "Adobe Systems" ascii @@ -275,7 +286,8 @@ rule Fake_FlashPlayerUpdaterService_EXE meta: description = "Detects an fake AdobeReader executable based on filesize OR missing strings in file" date = "2014-09-11" - author = "Florian Roth" + license = "https://creativecommons.org/licenses/by-nc/4.0/" + author = "Florian Roth" score = 50 strings: $s1 = "Adobe Systems Incorporated" ascii wide