valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 10:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

License notice on my own rules, removed rules with unclear/problematic licensing

Browse Source
This commit is contained in:
Florian Roth 2018-08-26 12:47:41 +02:00
parent 3281e6dc72
commit 7c8745c59e
304 changed files with 2619 additions and 170 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
yara/apt_agent_btz.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule Agent_BTZ_Proxy_DLL_1 {
meta:
description = "Detects Agent-BTZ Proxy DLL - activeds.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/"
date = "2017-08-07"

1
yara/apt_apt10.yar
View File

@ -8,6 +8,7 @@
rule APT10_Malware_Sample_Gen {
meta:
description = "APT 10 / Cloud Hopper malware campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-06"

1
yara/apt_apt10_redleaves.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule MAL_Hogfish_Report_Related_Sample {
meta:
description = "Detects APT10 / Hogfish related samples"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf"
date = "2018-05-01"

1
yara/apt_apt12_malware.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule APT12_Malware_Aug17 {
meta:
description = "Detects APT 12 Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.macnica.net/blog/2017/08/post-fb81.html"
date = "2017-08-30"

4
yara/apt_apt15.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule APT15_Malware_Mar18_RoyalCli {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
@ -32,6 +33,7 @@ rule APT15_Malware_Mar18_RoyalCli {
rule APT15_Malware_Mar18_RoyalDNS {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
@ -57,6 +59,7 @@ rule APT15_Malware_Mar18_RoyalDNS {
rule APT15_Malware_Mar18_BS2005 {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
@ -83,6 +86,7 @@ rule APT15_Malware_Mar18_BS2005 {
rule APT15_Malware_Mar18_MSExchangeTool {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"

4
yara/apt_apt17_mal_sep17.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule APT17_Malware_Oct17_1 {
meta:
description = "Detects APT17 malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
@ -29,6 +30,7 @@ rule APT17_Malware_Oct17_1 {
rule APT17_Malware_Oct17_2 {
meta:
description = "Detects APT17 malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
@ -57,6 +59,7 @@ rule APT17_Malware_Oct17_2 {
rule APT17_Unsigned_Symantec_Binary_EFA {
meta:
description = "Detects APT17 malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
@ -71,6 +74,7 @@ rule APT17_Unsigned_Symantec_Binary_EFA {
rule APT17_Malware_Oct17_Gen {
meta:
description = "Detects APT17 malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"

1
yara/apt_apt17_malware.yar
View File

@ -10,6 +10,7 @@
rule APT17_Sample_FXSST_DLL {
meta:
description = "Detects Samples related to APT17 activity - file FXSST.DLL"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/ZiJyQv"
date = "2015-05-14"

1
yara/apt_apt19.yar
View File

@ -10,6 +10,7 @@
rule Beacon_K5om {
meta:
description = "Detects Meterpreter Beacon - file K5om.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html"
date = "2017-06-07"

2
yara/apt_apt28.yar
View File

@ -10,6 +10,7 @@
rule APT28_CHOPSTICK {
meta:
description = "Detects a malware that behaves like CHOPSTICK mentioned in APT28 report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/v3ebal"
date = "2015-06-02"
@ -91,4 +92,3 @@ rule APT28_SourFace_Malware3 {
condition:
uint16(0) == 0x5a4d and filesize < 550KB and all of them
}

4
yara/apt_apt29_grizzly_steppe.yar
View File

@ -10,6 +10,7 @@
rule GRIZZLY_STEPPE_Malware_1 {
meta:
description = "Auto-generated rule - file HRDG022184_certclint.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/WVflzO"
date = "2016-12-29"
@ -28,6 +29,7 @@ rule GRIZZLY_STEPPE_Malware_1 {
rule GRIZZLY_STEPPE_Malware_2 {
meta:
description = "Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/WVflzO"
date = "2016-12-29"
@ -71,6 +73,7 @@ rule WebShell_PHP_Web_Kit_v3 {
meta:
description = "Detects PAS Tool PHP Web Kit"
reference = "https://github.com/wordfence/grizzly"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
date = "2016/01/01"
strings:
@ -90,6 +93,7 @@ rule WebShell_PHP_Web_Kit_v4 {
meta:
description = "Detects PAS Tool PHP Web Kit"
reference = "https://github.com/wordfence/grizzly"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
date = "2016/01/01"
strings:

56
yara/apt_apt30_backspace.yar
View File

@ -10,6 +10,7 @@
rule APT30_Generic_H {
meta:
description = "FireEye APT30 Report Sample - file db3e5c2f2ce07c2d3fa38d6fc1ceb854"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -26,6 +27,7 @@ rule APT30_Generic_H {
rule APT30_Sample_2 {
meta:
description = "FireEye APT30 Report Sample - file c4dec6d69d8035d481e4f2c86f580e81"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -43,6 +45,7 @@ rule APT30_Sample_2 {
rule APT30_Sample_3 {
meta:
description = "FireEye APT30 Report Sample - file 59e055cee87d8faf6f701293e5830b5a"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -60,6 +63,7 @@ rule APT30_Sample_3 {
rule APT30_Generic_C {
meta:
description = "FireEye APT30 Report Sample - file 0c4fcef3b583d0ffffc2b14b9297d3a4"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -82,6 +86,7 @@ rule APT30_Generic_C {
rule APT30_Sample_4 {
meta:
description = "FireEye APT30 Report Sample - file 6ba315275561d99b1eb8fc614ff0b2b3"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -100,6 +105,7 @@ rule APT30_Sample_4 {
rule APT30_Sample_5 {
meta:
description = "FireEye APT30 Report Sample - file ebf42e8b532e2f3b19046b028b5dfb23"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -117,6 +123,7 @@ rule APT30_Sample_5 {
rule APT30_Sample_6 {
meta:
description = "FireEye APT30 Report Sample - file ee1b23c97f809151805792f8778ead74"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -131,6 +138,7 @@ rule APT30_Sample_6 {
rule APT30_Sample_7 {
meta:
description = "FireEye APT30 Report Sample - file 74b87086887e0c67ffb035069b195ac7"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -149,6 +157,7 @@ rule APT30_Sample_7 {
rule APT30_Generic_E {
meta:
description = "FireEye APT30 Report Sample - file 8ff473bedbcc77df2c49a91167b1abeb"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -167,6 +176,7 @@ rule APT30_Generic_E {
rule APT30_Sample_8 {
meta:
description = "FireEye APT30 Report Sample - file 44b98f22155f420af4528d17bb4a5ec8"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -183,6 +193,7 @@ rule APT30_Sample_8 {
rule APT30_Generic_B {
meta:
description = "FireEye APT30 Report Sample - file 29395c528693b69233c1c12bef8a64b3"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -202,6 +213,7 @@ rule APT30_Generic_B {
rule APT30_Generic_I {
meta:
description = "FireEye APT30 Report Sample - file fe211c7a081c1dac46e3935f7c614549"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -218,6 +230,7 @@ rule APT30_Generic_I {
rule APT30_Sample_9 {
meta:
description = "FireEye APT30 Report Sample - file e3ae3cbc024e39121c87d73e87bb2210"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -238,6 +251,7 @@ rule APT30_Sample_9 {
rule APT30_Sample_10 {
meta:
description = "FireEye APT30 Report Sample - file 8c713117af4ca6bbd69292a78069e75b"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -257,6 +271,7 @@ rule APT30_Sample_10 {
rule APT30_Sample_11 {
meta:
description = "FireEye APT30 Report Sample - file d97aace631d6f089595f5ce177f54a39"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -284,6 +299,7 @@ rule APT30_Sample_11 {
rule APT30_Sample_12 {
meta:
description = "FireEye APT30 Report Sample - file c95cd106c1fecbd500f4b97566d8dc96"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -299,6 +315,7 @@ rule APT30_Sample_12 {
rule APT30_Sample_13 {
meta:
description = "FireEye APT30 Report Sample - file 95bb314fe8fdbe4df31a6d23b0d378bc"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -317,6 +334,7 @@ rule APT30_Sample_13 {
rule APT30_Sample_14 {
meta:
description = "FireEye APT30 Report Sample - file 6f931c15789d234881be8ae8ccfe33f4"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -334,6 +352,7 @@ rule APT30_Sample_14 {
rule APT30_Sample_15 {
meta:
description = "FireEye APT30 Report Sample - file e26a2afaaddfb09d9ede505c6f1cc4e3"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -352,6 +371,7 @@ rule APT30_Sample_15 {
rule APT30_Sample_16 {
meta:
description = "FireEye APT30 Report Sample - file 37e568bed4ae057e548439dc811b4d3a"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -370,6 +390,7 @@ rule APT30_Sample_16 {
rule APT30_Generic_A {
meta:
description = "FireEye APT30 Report Sample - file af1c1c5d8031c4942630b6a10270d8f4"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -390,6 +411,7 @@ rule APT30_Generic_A {
rule APT30_Sample_17 {
meta:
description = "FireEye APT30 Report Sample - file 23813c5bf6a7af322b40bd2fd94bd42e"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -403,6 +425,7 @@ rule APT30_Sample_17 {
rule APT30_Sample_18 {
meta:
description = "FireEye APT30 Report Sample - file b2138a57f723326eda5a26d2dec56851"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -423,6 +446,7 @@ rule APT30_Sample_18 {
rule APT30_Generic_G {
meta:
description = "FireEye APT30 Report Sample - file 53f1358cbc298da96ec56e9a08851b4b"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -444,6 +468,7 @@ rule APT30_Generic_G {
rule APT30_Sample_19 {
meta:
description = "FireEye APT30 Report Sample - file 5d4f2871fd1818527ebd65b0ff930a77"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -469,6 +494,7 @@ rule APT30_Sample_19 {
rule APT30_Generic_E_v2 {
meta:
description = "FireEye APT30 Report Sample - file 71f25831681c19ea17b2f2a84a41bbfb"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -485,6 +511,7 @@ rule APT30_Generic_E_v2 {
rule APT30_Sample_20 {
meta:
description = "FireEye APT30 Report Sample - file 5ae51243647b7d03a5cb20dccbc0d561"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -505,6 +532,7 @@ rule APT30_Sample_20 {
rule APT30_Sample_21 {
meta:
description = "FireEye APT30 Report Sample - file 78c4fcee5b7fdbabf3b9941225d95166"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -521,6 +549,7 @@ rule APT30_Sample_21 {
rule APT30_Sample_22 {
meta:
description = "FireEye APT30 Report Sample - file fad06d7b4450c4631302264486611ec3"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -539,6 +568,7 @@ rule APT30_Sample_22 {
rule APT30_Generic_F {
meta:
description = "FireEye APT30 Report Sample - file 4c10a1efed25b828e4785d9526507fbc"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -557,6 +587,7 @@ rule APT30_Generic_F {
rule APT30_Sample_23 {
meta:
description = "FireEye APT30 Report Sample - file a5ca2c5b4d8c0c1bc93570ed13dcab1a"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -577,6 +608,7 @@ rule APT30_Sample_23 {
rule APT30_Sample_24 {
meta:
description = "FireEye APT30 Report Sample - file 062fe1336459a851bd0ea271bb2afe35"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -596,6 +628,7 @@ rule APT30_Sample_24 {
rule APT30_Sample_25 {
meta:
description = "FireEye APT30 Report Sample - file c4c068200ad8033a0f0cf28507b51842"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -615,6 +648,7 @@ rule APT30_Sample_25 {
rule APT30_Sample_26 {
meta:
description = "FireEye APT30 Report Sample - file 428fc53c84e921ac518e54a5d055f54a"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -634,6 +668,7 @@ rule APT30_Sample_26 {
rule APT30_Generic_D {
meta:
description = "FireEye APT30 Report Sample - file 597805832d45d522c4882f21db800ecf"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -657,6 +692,7 @@ rule APT30_Generic_D {
rule APT30_Sample_27 {
meta:
description = "FireEye APT30 Report Sample - file d38e02eac7e3b299b46ff2607dd0f288"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -676,6 +712,7 @@ rule APT30_Sample_27 {
rule APT30_Sample_28 {
meta:
description = "FireEye APT30 Report Sample - file e62a63307deead5c9fcca6b9a2d51fb0"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -704,6 +741,7 @@ rule APT30_Sample_28 {
rule APT30_Sample_29 {
meta:
description = "FireEye APT30 Report Sample - file 1b81b80ff0edf57da2440456d516cc90"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -724,6 +762,7 @@ rule APT30_Sample_29 {
rule APT30_Sample_30 {
meta:
description = "FireEye APT30 Report Sample - file bf8616bbed6d804a3dea09b230c2ab0c"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -741,6 +780,7 @@ rule APT30_Sample_30 {
rule APT30_Sample_31 {
meta:
description = "FireEye APT30 Report Sample - file d8e68db503f4155ed1aeba95d1f5e3e4"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -758,6 +798,7 @@ rule APT30_Sample_31 {
rule APT30_Generic_J {
meta:
description = "FireEye APT30 Report Sample - file baff5262ae01a9217b10fcd5dad9d1d5"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -789,6 +830,7 @@ rule APT30_Generic_J {
rule APT30_Microfost {
meta:
description = "FireEye APT30 Report Sample - file 310a4a62ba3765cbf8e8bbb9f324c503"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -803,6 +845,7 @@ rule APT30_Microfost {
rule APT30_Generic_K {
meta:
description = "FireEye APT30 Report Sample - file b5a343d11e1f7340de99118ce9fc1bbb"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -832,6 +875,7 @@ rule APT30_Generic_K {
rule APT30_Sample_33 {
meta:
description = "FireEye APT30 Report Sample - file 5eaf3deaaf2efac92c73ada82a651afe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -852,6 +896,7 @@ rule APT30_Sample_33 {
rule APT30_Sample_34 {
meta:
description = "FireEye APT30 Report Sample - file a9e8e402a7ee459e4896d0ba83543684"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -871,6 +916,7 @@ rule APT30_Sample_34 {
rule APT30_Sample_35 {
meta:
description = "FireEye APT30 Report Sample - file 414854a9b40f7757ed7bfc6a1b01250f"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -886,6 +932,7 @@ rule APT30_Sample_35 {
rule APT30_Sample_1 {
meta:
description = "FireEye APT30 Report Sample - file 4c6b21e98ca03e0ef0910e07cef45dac"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -903,6 +950,7 @@ rule APT30_Sample_1 {
rule APT30_Generic_1 {
meta:
description = "FireEye APT30 Report Sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -935,6 +983,7 @@ rule APT30_Generic_1 {
rule APT30_Generic_2 {
meta:
description = "FireEye APT30 Report Sample - from many files"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -990,6 +1039,7 @@ rule APT30_Generic_2 {
rule APT30_Generic_3 {
meta:
description = "FireEye APT30 Report Sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -1008,6 +1058,7 @@ rule APT30_Generic_3 {
rule APT30_Generic_4 {
meta:
description = "FireEye APT30 Report Sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -1038,6 +1089,7 @@ rule APT30_Generic_4 {
rule APT30_Generic_5 {
meta:
description = "FireEye APT30 Report Sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -1059,6 +1111,7 @@ rule APT30_Generic_5 {
rule APT30_Generic_6 {
meta:
description = "FireEye APT30 Report Sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -1080,6 +1133,7 @@ rule APT30_Generic_6 {
rule APT30_Generic_7 {
meta:
description = "FireEye APT30 Report Sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -1097,6 +1151,7 @@ rule APT30_Generic_7 {
rule APT30_Generic_8 {
meta:
description = "FireEye APT30 Report Sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
@ -1122,6 +1177,7 @@ rule APT30_Generic_8 {
rule APT30_Generic_9 {
meta:
description = "FireEye APT30 Report Sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"

2
yara/apt_apt34.yar
View File

@ -12,6 +12,7 @@
rule APT34_Malware_HTA {
meta:
description = "Detects APT 34 malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
date = "2017-12-07"
@ -32,6 +33,7 @@ rule APT34_Malware_HTA {
rule APT34_Malware_Exeruner {
meta:
description = "Detects APT 34 malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
date = "2017-12-07"

1
yara/apt_apt6_malware.yar
View File

@ -8,6 +8,7 @@
rule APT6_Malware_Sample_Gen {
meta:
description = "Rule written for 2 malware samples that communicated to APT6 C2 servers"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/"
date = "2016-04-09"

1
yara/apt_ar18_165a.yar
View File

@ -59,6 +59,7 @@ rule APT_NK_AR18_165A_HiddenCobra_import_deob {
rule APT_NK_AR18_165A_1 {
meta:
description = "Detects APT malware from AR18-165A report by US CERT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
date = "2018-06-15"

1
yara/apt_backdoor_ssh_python.yar
View File

@ -2,6 +2,7 @@
rule custom_ssh_backdoor_server {
meta:
description = "Custome SSH backdoor based on python and paramiko - file server.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/S46L3o"
date = "2015-05-14"

1
yara/apt_beepservice.yar
View File

@ -10,6 +10,7 @@
rule BeepService_Hacktool {
meta:
description = "Detects BeepService Hacktool used by Chinese APT groups"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/p32Ozf"
date = "2016-05-12"

2
yara/apt_bigbang.yar
View File

@ -3,6 +3,7 @@ import "pe"
rule APT_ME_BigBang_Gen_Jul18_1 {
meta:
description = "Detects malware from Big Bang campaign against Palestinian authorities"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
date = "2018-07-09"
@ -29,6 +30,7 @@ rule APT_ME_BigBang_Gen_Jul18_1 {
rule APT_ME_BigBang_Mal_Jul18_1 {
meta:
description = "Detects malware from Big Bang report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
date = "2018-07-09"

8
yara/apt_blackenergy.yar
View File

@ -8,6 +8,7 @@
rule BlackEnergy_BE_2 {
meta:
description = "Detects BlackEnergy 2 Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/DThzLz"
date = "2015/02/19"
@ -32,6 +33,7 @@ rule BlackEnergy_BE_2 {
rule BlackEnergy_VBS_Agent {
meta:
description = "Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
@ -47,6 +49,7 @@ rule BlackEnergy_VBS_Agent {
rule DropBear_SSH_Server {
meta:
description = "Detects DropBear SSH Server (not a threat but used to maintain access)"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
@ -65,6 +68,7 @@ rule DropBear_SSH_Server {
rule BlackEnergy_BackdoorPass_DropBear_SSH {
meta:
description = "Detects the password of the backdoored DropBear SSH Server - BlackEnergy"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
@ -80,6 +84,7 @@ rule BlackEnergy_BackdoorPass_DropBear_SSH {
rule BlackEnergy_KillDisk_1 {
meta:
description = "Detects KillDisk malware from BlackEnergy"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
@ -107,6 +112,7 @@ rule BlackEnergy_KillDisk_1 {
rule BlackEnergy_KillDisk_2 {
meta:
description = "Detects KillDisk malware from BlackEnergy"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
@ -127,6 +133,7 @@ rule BlackEnergy_KillDisk_2 {
rule BlackEnergy_Driver_USBMDM {
meta:
description = "Black Energy Driver"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
date = "2016-01-04"
@ -150,6 +157,7 @@ rule BlackEnergy_Driver_USBMDM {
rule BlackEnergy_Driver_AMDIDE {
meta:
description = "Black Energy Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
date = "2016-01-04"

7
yara/apt_bronze_butler.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule BronzeButler_Daserf_Delphi_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
@ -36,6 +37,7 @@ rule BronzeButler_Daserf_Delphi_1 {
rule BronzeButler_Daserf_C_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
@ -76,6 +78,7 @@ rule BronzeButler_Daserf_C_1 {
rule BronzeButler_DGet_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
@ -89,6 +92,7 @@ rule BronzeButler_DGet_1 {
rule BronzeButler_UACBypass_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
@ -107,6 +111,7 @@ rule BronzeButler_UACBypass_1 {
rule BronzeButler_xxmm_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
@ -132,6 +137,7 @@ rule BronzeButler_xxmm_1 {
rule BronzeButler_RarStar_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
@ -158,6 +164,7 @@ rule BronzeButler_RarStar_1 {
rule Daserf_Nov1_BronzeButler {
meta:
description = "Detects Daserf malware used by Bronze Butler"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/ffeCfd"
date = "2017-11-08"

3
yara/apt_buckeye.yar
View File

@ -10,6 +10,7 @@
rule Buckeye_Osinfo {
meta:
description = "Detects OSinfo tool used by the Buckeye APT group"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
date = "2016-09-05"
@ -28,6 +29,7 @@ rule Buckeye_Osinfo {
rule RemoteCmd {
meta:
description = "Detects a remote access tool used by APT groups - file RemoteCmd.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/igxLyF"
date = "2016-09-08"
@ -46,6 +48,7 @@ rule RemoteCmd {
rule ChromePass {
meta:
description = "Detects a tool used by APT groups - file ChromePass.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/igxLyF"
date = "2016-09-08"

4
yara/apt_casper.yar
View File

@ -4,6 +4,7 @@
rule Casper_Backdoor_x86 {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/05"
@ -35,6 +36,7 @@ rule Casper_Backdoor_x86 {
rule Casper_EXE_Dropper {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/05"
@ -56,6 +58,7 @@ rule Casper_EXE_Dropper {
rule Casper_Included_Strings {
meta:
description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
@ -80,6 +83,7 @@ rule Casper_Included_Strings {
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"

3
yara/apt_cheshirecat.yar
View File

@ -11,6 +11,7 @@
rule CheshireCat_Sample2 {
meta:
description = "Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
date = "2015-08-08"
@ -33,6 +34,7 @@ rule CheshireCat_Sample2 {
rule CheshireCat_Gen1 {
meta:
description = "Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
date = "2015-08-08"
@ -72,6 +74,7 @@ rule CheshireCat_Gen1 {
rule CheshireCat_Gen2 {
meta:
description = "Cheshire Cat Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
date = "2015-08-08"

1
yara/apt_cloudduke.yar
View File

@ -10,6 +10,7 @@
rule CloudDuke_Malware {
meta:
description = "Detects CloudDuke Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.f-secure.com/weblog/archives/00002822.html"
date = "2015-07-22"

1
yara/apt_cmstar.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule CMStar_Malware_Sep17 {
meta:
description = "Detects CMStar Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/pTffPA"
date = "2017-10-03"

13
yara/apt_cn_pp_zerot.yar
View File

@ -11,6 +11,7 @@
rule PP_CN_APT_ZeroT_1 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
@ -24,6 +25,7 @@ rule PP_CN_APT_ZeroT_1 {
rule PP_CN_APT_ZeroT_2 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
@ -37,6 +39,7 @@ rule PP_CN_APT_ZeroT_2 {
rule PP_CN_APT_ZeroT_3 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
@ -55,6 +58,7 @@ rule PP_CN_APT_ZeroT_3 {
rule PP_CN_APT_ZeroT_4 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
@ -69,6 +73,7 @@ rule PP_CN_APT_ZeroT_4 {
rule PP_CN_APT_ZeroT_5 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
@ -87,6 +92,7 @@ rule PP_CN_APT_ZeroT_5 {
rule PP_CN_APT_ZeroT_6 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
@ -100,6 +106,7 @@ rule PP_CN_APT_ZeroT_6 {
rule PP_CN_APT_ZeroT_7 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
@ -116,6 +123,7 @@ rule PP_CN_APT_ZeroT_7 {
rule PP_CN_APT_ZeroT_8 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
@ -132,6 +140,7 @@ rule PP_CN_APT_ZeroT_8 {
rule PP_CN_APT_ZeroT_9 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
@ -146,6 +155,7 @@ rule PP_CN_APT_ZeroT_9 {
rule CN_APT_ZeroT_nflogger {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
@ -159,6 +169,7 @@ rule CN_APT_ZeroT_nflogger {
rule CN_APT_ZeroT_extracted_Go {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Go.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
@ -181,6 +192,7 @@ rule CN_APT_ZeroT_extracted_Go {
rule CN_APT_ZeroT_extracted_Mcutil {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
@ -199,6 +211,7 @@ rule CN_APT_ZeroT_extracted_Mcutil {
rule CN_APT_ZeroT_extracted_Zlh {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"

16
yara/apt_codoso.yar
View File

@ -11,6 +11,7 @@
rule Codoso_PlugX_3 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -26,6 +27,7 @@ rule Codoso_PlugX_3 {
rule Codoso_PlugX_2 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -42,6 +44,7 @@ rule Codoso_PlugX_2 {
rule Codoso_CustomTCP_4 {
meta:
description = "Detects Codoso APT CustomTCP Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -66,6 +69,7 @@ rule Codoso_CustomTCP_4 {
rule Codoso_CustomTCP_3 {
meta:
description = "Detects Codoso APT CustomTCP Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -86,6 +90,7 @@ rule Codoso_CustomTCP_3 {
rule Codoso_CustomTCP_2 {
meta:
description = "Detects Codoso APT CustomTCP Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -105,6 +110,7 @@ rule Codoso_CustomTCP_2 {
rule Codoso_PGV_PVID_6 {
meta:
description = "Detects Codoso APT PGV_PVID Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -118,6 +124,7 @@ rule Codoso_PGV_PVID_6 {
rule Codoso_Gh0st_3 {
meta:
description = "Detects Codoso APT Gh0st Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -138,6 +145,7 @@ rule Codoso_Gh0st_3 {
rule Codoso_Gh0st_2 {
meta:
description = "Detects Codoso APT Gh0st Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -155,6 +163,7 @@ rule Codoso_Gh0st_2 {
rule Codoso_CustomTCP {
meta:
description = "Codoso CustomTCP Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -174,6 +183,7 @@ rule Codoso_CustomTCP {
rule Codoso_PGV_PVID_5 {
meta:
description = "Detects Codoso APT PGV PVID Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -189,6 +199,7 @@ rule Codoso_PGV_PVID_5 {
rule Codoso_Gh0st_1 {
meta:
description = "Detects Codoso APT Gh0st Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -226,6 +237,7 @@ rule Codoso_Gh0st_1 {
rule Codoso_PGV_PVID_4 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -252,6 +264,7 @@ rule Codoso_PGV_PVID_4 {
rule Codoso_PlugX_1 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -269,6 +282,7 @@ rule Codoso_PlugX_1 {
rule Codoso_PGV_PVID_3 {
meta:
description = "Detects Codoso APT PGV PVID Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -287,6 +301,7 @@ rule Codoso_PGV_PVID_3 {
rule Codoso_PGV_PVID_2 {
meta:
description = "Detects Codoso APT PGV PVID Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
@ -308,6 +323,7 @@ rule Codoso_PGV_PVID_2 {
rule Codoso_PGV_PVID_1 {
meta:
description = "Detects Codoso APT PGV PVID Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"

1
yara/apt_coreimpact_agent.yar
View File

@ -6,6 +6,7 @@
rule CoreImpact_sysdll_exe {
meta:
description = "Detects a malware sysdll.exe from the Rocket Kitten APT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 70
date = "27.12.2014"

60
yara/apt_crash_override.yar
View File

@ -1,60 +0,0 @@
/*
Yara Rule Set
Author: Dragos Inc
Date: 2016-06-12
Identifier: Crash Override
*/
import "pe"
rule dragos_crashoverride_suspcious
{
meta:
description = "CRASHOVERRIDE v1 Wiper"
author = "Dragos Inc"
reference = "https://t.co/h8QaIP4FU8"
strings:
$s0 = "SYS_BASCON.COM" fullword nocase wide
$s1 = ".pcmp" fullword nocase wide
$s2 = ".pcmi" fullword nocase wide
$s3 = ".pcmt" fullword nocase wide
$s4 = ".cin" fullword nocase wide
condition:
pe.exports("Crash") and any of ($s*)
}
rule dragos_crashoverride_exporting_dlls {
meta:
description = "CRASHOVERRIDE v1 Suspicious Export"
author = "Dragos Inc"
reference = "https://t.co/h8QaIP4FU8"
condition:
pe.exports("Crash") & pe.characteristics
}
rule dragos_crashoverride_name_search {
meta:
description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
author = "Dragos Inc"
reference = "https://t.co/h8QaIP4FU8"
strings:
$s0 = "101.dll" fullword nocase wide
$s1 = "Crash101.dll" fullword nocase wide
$s2 = "104.dll" fullword nocase wide
$s3 = "Crash104.dll" fullword nocase wide
$s4 = "61850.dll" fullword nocase wide
$s5 = "Crash61850.dll" fullword nocase wide
$s6 = "OPCClientDemo.dll" fullword nocase wide
$s7 = "OPC" fullword nocase wide
$s8 = "CrashOPCClientDemo.dll" fullword nocase wide
$s9 = "D2MultiCommService.exe" fullword nocase wide
$s10 = "CrashD2MultiCommService.exe" fullword nocase wide $s11 = "61850.exe" fullword nocase wide
$s12 = "OPC.exe" fullword nocase wide
$s13 = "haslo.exe" fullword nocase wide
$s14 = "haslo.dat" fullword nocase wide
condition:
any of ($s*) and pe.exports("Crash")
}

3
yara/apt_danti_svcmondr.yar
View File

@ -10,6 +10,7 @@
rule Mal_Dropper_httpEXE_from_CAB {
meta:
description = "Detects a dropper from a CAB file mentioned in the article"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/13Wgy1"
date = "2016-05-25"
@ -25,6 +26,7 @@ rule Mal_Dropper_httpEXE_from_CAB {
rule Mal_http_EXE {
meta:
description = "Detects trojan from APT report named http.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/13Wgy1"
date = "2016-05-25"
@ -55,6 +57,7 @@ rule Mal_http_EXE {
rule Mal_PotPlayer_DLL {
meta:
description = "Detects a malicious PotPlayer.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/13Wgy1"
date = "2016-05-25"

1
yara/apt_darkcaracal.yar
View File

@ -12,6 +12,7 @@
rule MiniRAT_Gen_1 {
meta:
description = "Detects Mini RAT malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news"
date = "2018-01-22"

5
yara/apt_darkhydrus.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule APT_DarkHydrus_Jul18_1 {
meta:
description = "Detects strings found in malware samples in APT report in DarkHydrus"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
date = "2018-07-28"
@ -29,6 +30,7 @@ rule APT_DarkHydrus_Jul18_1 {
rule APT_DarkHydrus_Jul18_2 {
meta:
description = "Detects strings found in malware samples in APT report in DarkHydrus"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
date = "2018-07-28"
@ -48,6 +50,7 @@ rule APT_DarkHydrus_Jul18_2 {
rule APT_DarkHydrus_Jul18_3 {
meta:
description = "Detects strings found in malware samples in APT report in DarkHydrus"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
date = "2018-07-28"
@ -67,6 +70,7 @@ rule APT_DarkHydrus_Jul18_3 {
rule APT_DarkHydrus_Jul18_4 {
meta:
description = "Detects strings found in malware samples in APT report in DarkHydrus"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
date = "2018-07-28"
@ -87,6 +91,7 @@ rule APT_DarkHydrus_Jul18_4 {
rule APT_DarkHydrus_Jul18_5 {
meta:
description = "Detects strings found in malware samples in APT report in DarkHydrus"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
date = "2018-07-28"

4
yara/apt_deeppanda.yar
View File

@ -3,6 +3,7 @@
rule DeepPanda_sl_txt_packed {
meta:
description = "Hack Deep Panda - ScanLine sl-txt-packed"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
date = "2015/02/08"
hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
@ -22,6 +23,7 @@ rule DeepPanda_sl_txt_packed {
rule DeepPanda_lot1 {
meta:
description = "Hack Deep Panda - lot1.tmp-pwdump"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
date = "2015/02/08"
hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
@ -47,6 +49,7 @@ rule DeepPanda_lot1 {
rule DeepPanda_htran_exe {
meta:
description = "Hack Deep Panda - htran-exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
date = "2015/02/08"
hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
@ -66,6 +69,7 @@ rule DeepPanda_htran_exe {
rule DeepPanda_Trojan_Kakfum {
meta:
description = "Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
date = "2015/02/08"
hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"

4
yara/apt_derusbi.yar
View File

@ -47,6 +47,7 @@ rule derusbi_linux
rule Derusbi_Kernel_Driver_WD_UDFS {
meta:
description = "Detects Derusbi Kernel Driver"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
@ -78,6 +79,7 @@ rule Derusbi_Kernel_Driver_WD_UDFS {
rule Derusbi_Code_Signing_Cert {
meta:
description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
@ -93,6 +95,7 @@ rule Derusbi_Code_Signing_Cert {
rule XOR_4byte_Key {
meta:
description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
@ -116,6 +119,7 @@ rule XOR_4byte_Key {
rule Derusbi_Backdoor_Mar17_1 {
meta:
description = "Detects a variant of the Derusbi backdoor"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-03-03"

5
yara/apt_dragonfly.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule Unspecified_Malware_Sep1_A1 {
meta:
description = "Detects malware from DrqgonFly APT report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
date = "2017-09-12"
@ -27,6 +28,7 @@ rule Unspecified_Malware_Sep1_A1 {
rule DragonFly_APT_Sep17_1 {
meta:
description = "Detects malware from DrqgonFly APT report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
date = "2017-09-12"
@ -42,6 +44,7 @@ rule DragonFly_APT_Sep17_1 {
rule DragonFly_APT_Sep17_2 {
meta:
description = "Detects malware from DrqgonFly APT report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
date = "2017-09-12"
@ -62,6 +65,7 @@ rule DragonFly_APT_Sep17_2 {
rule DragonFly_APT_Sep17_3 {
meta:
description = "Detects malware from DrqgonFly APT report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
date = "2017-09-12"
@ -83,6 +87,7 @@ rule DragonFly_APT_Sep17_3 {
rule DragonFly_APT_Sep17_4 {
meta:
description = "Detects malware from DrqgonFly APT report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
date = "2017-09-12"

7
yara/apt_dubnium.yar
View File

@ -10,6 +10,7 @@
rule Dubnium_Sample_1 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
@ -24,6 +25,7 @@ rule Dubnium_Sample_1 {
rule Dubnium_Sample_2 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
@ -38,6 +40,7 @@ rule Dubnium_Sample_2 {
rule Dubnium_Sample_3 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
@ -58,6 +61,7 @@ rule Dubnium_Sample_3 {
rule Dubnium_Sample_5 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
@ -81,6 +85,7 @@ rule Dubnium_Sample_5 {
rule Dubnium_Sample_6 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
@ -99,6 +104,7 @@ rule Dubnium_Sample_6 {
rule Dubnium_Sample_7 {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
@ -121,6 +127,7 @@ rule Dubnium_Sample_7 {
rule Dubnium_Sample_SSHOpenSSL {
meta:
description = "Detects sample mentioned in the Dubnium Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"

5
yara/apt_duqu2.yar
View File

@ -10,6 +10,7 @@
rule Duqu2_Sample1 {
meta:
description = "Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi)"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
@ -28,6 +29,7 @@ rule Duqu2_Sample1 {
rule Duqu2_Sample2 {
meta:
description = "Detects Duqu2 Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
@ -48,6 +50,7 @@ rule Duqu2_Sample2 {
rule Duqu2_Sample3 {
meta:
description = "Detects Duqu2 Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
@ -62,6 +65,7 @@ rule Duqu2_Sample3 {
rule Duqu2_Sample4 {
meta:
description = "Detects Duqu2 Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"
@ -78,6 +82,7 @@ rule Duqu2_Sample4 {
rule Duqu2_UAs {
meta:
description = "Detects Duqu2 Executable based on the specific UAs in the file"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
date = "2016-07-02"

1
yara/apt_emissary.yar
View File

@ -8,6 +8,7 @@
rule Emissary_APT_Malware_1 {
meta:
description = "Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/V0epcf"
date = "2016-01-02"

95
yara/apt_eqgrp.yar
View File

@ -12,6 +12,7 @@ import "pe"
rule EQGRP_noclient_3_0_5 {
meta:
description = "Detects tool from EQGRP toolset - file noclient-3.0.5.3"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
@ -29,6 +30,7 @@ rule EQGRP_noclient_3_0_5 {
rule EQGRP_installdate {
meta:
description = "Detects tool from EQGRP toolset - file installdate.pl"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
@ -48,6 +50,7 @@ rule EQGRP_installdate {
rule EQGRP_teflondoor {
meta:
description = "Detects tool from EQGRP toolset - file teflondoor.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
@ -69,6 +72,7 @@ rule EQGRP_teflondoor {
rule EQGRP_durablenapkin_solaris_2_0_1 {
meta:
description = "Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
@ -86,6 +90,7 @@ rule EQGRP_durablenapkin_solaris_2_0_1 {
rule EQGRP_teflonhandle {
meta:
description = "Detects tool from EQGRP toolset - file teflonhandle.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
@ -103,6 +108,7 @@ rule EQGRP_teflonhandle {
rule EQGRP_false {
meta:
description = "Detects tool from EQGRP toolset - file false.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
@ -124,6 +130,7 @@ rule EQGRP_false {
rule EQGRP_dn_1_0_2_1 {
meta:
description = "Detects tool from EQGRP toolset - file dn.1.0.2.1.linux"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
@ -140,6 +147,7 @@ rule EQGRP_dn_1_0_2_1 {
rule EQGRP_morel {
meta:
description = "Detects tool from EQGRP toolset - file morel.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
@ -156,6 +164,7 @@ rule EQGRP_morel {
rule EQGRP_bc_parser {
meta:
description = "Detects tool from EQGRP toolset - file bc-parser"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
@ -171,6 +180,7 @@ rule EQGRP_bc_parser {
rule EQGRP_1212 {
meta:
description = "Detects tool from EQGRP toolset - file 1212.pl"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
@ -189,6 +199,7 @@ rule EQGRP_1212 {
rule EQGRP_1212_dehex {
meta:
description = "Detects tool from EQGRP toolset - from files 1212.pl, dehex.pl"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
@ -215,6 +226,7 @@ rule EQGRP_1212_dehex {
rule install_get_persistent_filenames {
meta:
description = "EQGRP Toolset Firewall - file install_get_persistent_filenames"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -228,6 +240,7 @@ rule install_get_persistent_filenames {
rule EQGRP_create_dns_injection {
meta:
description = "EQGRP Toolset Firewall - file create_dns_injection.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -242,6 +255,7 @@ rule EQGRP_create_dns_injection {
rule EQGRP_screamingplow {
meta:
description = "EQGRP Toolset Firewall - file screamingplow.sh"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -256,6 +270,7 @@ rule EQGRP_screamingplow {
rule EQGRP_MixText {
meta:
description = "EQGRP Toolset Firewall - file MixText.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -269,6 +284,7 @@ rule EQGRP_MixText {
rule EQGRP_tunnel_state_reader {
meta:
description = "EQGRP Toolset Firewall - file tunnel_state_reader"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -283,6 +299,7 @@ rule EQGRP_tunnel_state_reader {
rule EQGRP_payload {
meta:
description = "EQGRP Toolset Firewall - file payload.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -297,6 +314,7 @@ rule EQGRP_payload {
rule EQGRP_eligiblecandidate {
meta:
description = "EQGRP Toolset Firewall - file eligiblecandidate.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -314,6 +332,7 @@ rule EQGRP_eligiblecandidate {
rule EQGRP_BUSURPER_2211_724 {
meta:
description = "EQGRP Toolset Firewall - file BUSURPER-2211-724.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -331,6 +350,7 @@ rule EQGRP_BUSURPER_2211_724 {
rule EQGRP_networkProfiler_orderScans {
meta:
description = "EQGRP Toolset Firewall - file networkProfiler_orderScans.sh"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -345,6 +365,7 @@ rule EQGRP_networkProfiler_orderScans {
rule EQGRP_epicbanana_2_1_0_1 {
meta:
description = "EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -359,6 +380,7 @@ rule EQGRP_epicbanana_2_1_0_1 {
rule EQGRP_sniffer_xml2pcap {
meta:
description = "EQGRP Toolset Firewall - file sniffer_xml2pcap"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -373,6 +395,7 @@ rule EQGRP_sniffer_xml2pcap {
rule EQGRP_BananaAid {
meta:
description = "EQGRP Toolset Firewall - file BananaAid"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -389,6 +412,7 @@ rule EQGRP_BananaAid {
rule EQGRP_bo {
meta:
description = "EQGRP Toolset Firewall - file bo"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -406,6 +430,7 @@ rule EQGRP_bo {
rule EQGRP_SecondDate_2211 {
meta:
description = "EQGRP Toolset Firewall - file SecondDate-2211.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -422,6 +447,7 @@ rule EQGRP_SecondDate_2211 {
rule EQGRP_config_jp1_UA {
meta:
description = "EQGRP Toolset Firewall - file config_jp1_UA.pl"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -438,6 +464,7 @@ rule EQGRP_config_jp1_UA {
rule EQGRP_userscript {
meta:
description = "EQGRP Toolset Firewall - file userscript.FW"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -451,6 +478,7 @@ rule EQGRP_userscript {
rule EQGRP_BBALL_M50FW08_2201 {
meta:
description = "EQGRP Toolset Firewall - file BBALL_M50FW08-2201.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -469,6 +497,7 @@ rule EQGRP_BBALL_M50FW08_2201 {
rule EQGRP_BUSURPER_3001_724 {
meta:
description = "EQGRP Toolset Firewall - file BUSURPER-3001-724.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -484,6 +513,7 @@ rule EQGRP_BUSURPER_3001_724 {
rule EQGRP_workit {
meta:
description = "EQGRP Toolset Firewall - file workit.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -507,6 +537,7 @@ rule EQGRP_workit {
rule EQGRP_tinyhttp_setup {
meta:
description = "EQGRP Toolset Firewall - file tinyhttp_setup.sh"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -523,6 +554,7 @@ rule EQGRP_tinyhttp_setup {
rule EQGRP_shellcode {
meta:
description = "EQGRP Toolset Firewall - file shellcode.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -542,6 +574,7 @@ rule EQGRP_shellcode {
rule EQGRP_EPBA {
meta:
description = "EQGRP Toolset Firewall - file EPBA.script"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -561,6 +594,7 @@ rule EQGRP_EPBA {
rule EQGRP_BPIE {
meta:
description = "EQGRP Toolset Firewall - file BPIE-2201.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -581,6 +615,7 @@ rule EQGRP_BPIE {
rule EQGRP_jetplow_SH {
meta:
description = "EQGRP Toolset Firewall - file jetplow.sh"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -597,6 +632,7 @@ rule EQGRP_jetplow_SH {
rule EQGRP_BBANJO {
meta:
description = "EQGRP Toolset Firewall - file BBANJO-3011.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -616,6 +652,7 @@ rule EQGRP_BBANJO {
rule EQGRP_BPATROL_2201 {
meta:
description = "EQGRP Toolset Firewall - file BPATROL-2201.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -633,6 +670,7 @@ rule EQGRP_BPATROL_2201 {
rule EQGRP_extrabacon {
meta:
description = "EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -650,6 +688,7 @@ rule EQGRP_extrabacon {
rule EQGRP_sploit_py {
meta:
description = "EQGRP Toolset Firewall - file sploit.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -665,6 +704,7 @@ rule EQGRP_sploit_py {
rule EQGRP_uninstallPBD {
meta:
description = "EQGRP Toolset Firewall - file uninstallPBD.bat"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -680,6 +720,7 @@ rule EQGRP_uninstallPBD {
rule EQGRP_BICECREAM {
meta:
description = "EQGRP Toolset Firewall - file BICECREAM-2140"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -701,6 +742,7 @@ rule EQGRP_BICECREAM {
rule EQGRP_create_http_injection {
meta:
description = "EQGRP Toolset Firewall - file create_http_injection.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -719,6 +761,7 @@ rule EQGRP_create_http_injection {
rule EQGRP_BFLEA_2201 {
meta:
description = "EQGRP Toolset Firewall - file BFLEA-2201.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -738,6 +781,7 @@ rule EQGRP_BFLEA_2201 {
rule EQGRP_BpfCreator_RHEL4 {
meta:
description = "EQGRP Toolset Firewall - file BpfCreator-RHEL4"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -755,6 +799,7 @@ rule EQGRP_BpfCreator_RHEL4 {
rule EQGRP_StoreFc {
meta:
description = "EQGRP Toolset Firewall - file StoreFc.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -770,6 +815,7 @@ rule EQGRP_StoreFc {
rule EQGRP_hexdump {
meta:
description = "EQGRP Toolset Firewall - file hexdump.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -786,6 +832,7 @@ rule EQGRP_hexdump {
rule EQGRP_BBALL {
meta:
description = "EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -807,6 +854,7 @@ rule EQGRP_BBALL {
rule EQGRP_BARPUNCH_BPICKER {
meta:
description = "EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -826,6 +874,7 @@ rule EQGRP_BARPUNCH_BPICKER {
rule EQGRP_Implants_Gen6 {
meta:
description = "EQGRP Toolset Firewall"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -854,6 +903,7 @@ rule EQGRP_Implants_Gen6 {
rule EQGRP_Implants_Gen5 {
meta:
description = "EQGRP Toolset Firewall"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -879,6 +929,7 @@ rule EQGRP_Implants_Gen5 {
rule EQGRP_pandarock {
meta:
description = "EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -906,6 +957,7 @@ rule EQGRP_pandarock {
rule EQGRP_BananaUsurper_writeJetPlow {
meta:
description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -925,6 +977,7 @@ rule EQGRP_BananaUsurper_writeJetPlow {
rule EQGRP_Implants_Gen4 {
meta:
description = "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -946,6 +999,7 @@ rule EQGRP_Implants_Gen4 {
rule EQGRP_Implants_Gen3 {
meta:
description = "EQGRP Toolset Firewall"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -969,6 +1023,7 @@ rule EQGRP_Implants_Gen3 {
rule EQGRP_BLIAR_BLIQUER {
meta:
description = "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -1002,6 +1057,7 @@ rule EQGRP_BLIAR_BLIQUER {
rule EQGRP_sploit {
meta:
description = "EQGRP Toolset Firewall - from files sploit.py, sploit.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -1024,6 +1080,7 @@ rule EQGRP_sploit {
rule EQGRP_Implants_Gen2 {
meta:
description = "EQGRP Toolset Firewall"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -1055,6 +1112,7 @@ rule EQGRP_Implants_Gen2 {
rule EQGRP_Implants_Gen1 {
meta:
description = "EQGRP Toolset Firewall"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -1084,6 +1142,7 @@ rule EQGRP_Implants_Gen1 {
rule EQGRP_eligiblebombshell_generic {
meta:
description = "EQGRP Toolset Firewall - from files eligiblebombshell_1.2.0.1.py, eligiblebombshell_1.2.0.1.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -1101,6 +1160,7 @@ rule EQGRP_eligiblebombshell_generic {
rule EQGRP_ssh_telnet_29 {
meta:
description = "EQGRP Toolset Firewall - from files ssh.py, telnet.py"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -1124,6 +1184,7 @@ rule EQGRP_ssh_telnet_29 {
rule EQGRP_tinyexec {
meta:
description = "EQGRP Toolset Firewall - from files tinyexec"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -1137,6 +1198,7 @@ rule EQGRP_tinyexec {
rule EQGRP_callbacks {
meta:
description = "EQGRP Toolset Firewall - Callback addresses"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -1149,6 +1211,7 @@ rule EQGRP_callbacks {
rule EQGRP_Extrabacon_Output {
meta:
description = "EQGRP Toolset Firewall - Extrabacon exploit output"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -1165,6 +1228,7 @@ rule EQGRP_Extrabacon_Output {
rule EQGRP_Unique_Strings {
meta:
description = "EQGRP Toolset Firewall - Unique strings"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
@ -1178,6 +1242,7 @@ rule EQGRP_Unique_Strings {
rule EQGRP_RC5_RC6_Opcode {
meta:
description = "EQGRP Toolset Firewall - RC5 / RC6 opcode"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/blog/incidents/75812/the-equation-giveaway/"
date = "2016-08-17"
@ -1206,6 +1271,7 @@ rule EQGRP_RC5_RC6_Opcode {
rule EquationGroup_modifyAudit_Implant {
meta:
description = "EquationGroup Malware - file modifyAudit_Implant.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1222,6 +1288,7 @@ rule EquationGroup_modifyAudit_Implant {
rule EquationGroup_modifyAudit_Lp {
meta:
description = "EquationGroup Malware - file modifyAudit_Lp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1239,6 +1306,7 @@ rule EquationGroup_modifyAudit_Lp {
rule EquationGroup_ProcessHide_Lp {
meta:
description = "EquationGroup Malware - file ProcessHide_Lp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1258,6 +1326,7 @@ rule EquationGroup_ProcessHide_Lp {
rule EquationGroup_pwdump_Implant {
meta:
description = "EquationGroup Malware - file pwdump_Implant.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1273,6 +1342,7 @@ rule EquationGroup_pwdump_Implant {
rule EquationGroup_EquationDrug_Gen_5 {
meta:
description = "EquationGroup Malware - file PC_Level3_http_dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1289,6 +1359,7 @@ rule EquationGroup_EquationDrug_Gen_5 {
rule EquationGroup_PC_Level3_http_flav_dll {
meta:
description = "EquationGroup Malware - file PC_Level3_http_flav_dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1306,6 +1377,7 @@ rule EquationGroup_PC_Level3_http_flav_dll {
rule EquationGroup_LSADUMP_Lp {
meta:
description = "EquationGroup Malware - file LSADUMP_Lp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1319,6 +1391,7 @@ rule EquationGroup_LSADUMP_Lp {
rule EquationGroup_EquationDrug_mstcp32 {
meta:
description = "EquationGroup Malware - file mstcp32.sys"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1340,6 +1413,7 @@ rule EquationGroup_EquationDrug_mstcp32 {
rule EquationGroup_nethide_Lp {
meta:
description = "EquationGroup Malware - file nethide_Lp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1357,6 +1431,7 @@ rule EquationGroup_nethide_Lp {
rule EquationGroup_PC_Level4_flav_dll_x64 {
meta:
description = "EquationGroup Malware - file PC_Level4_flav_dll_x64"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1372,6 +1447,7 @@ rule EquationGroup_PC_Level4_flav_dll_x64 {
rule EquationGroup_PC_Level4_flav_exe {
meta:
description = "EquationGroup Malware - file PC_Level4_flav_exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1390,6 +1466,7 @@ rule EquationGroup_PC_Level4_flav_exe {
rule EquationGroup_processinfo_Implant {
meta:
description = "EquationGroup Malware - file processinfo_Implant.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1421,6 +1498,7 @@ rule EquationGroup_EquationDrug_Gen_2 {
rule EquationGroup_EquationDrug_ntevt {
meta:
description = "EquationGroup Malware - file ntevt.sys"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1435,6 +1513,7 @@ rule EquationGroup_EquationDrug_ntevt {
rule EquationGroup_nethide_Implant {
meta:
description = "EquationGroup Malware - file nethide_Implant.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1464,6 +1543,7 @@ rule EquationGroup_EquationDrug_Gen_4 {
rule EquationGroup_EquationDrug_tdi6 {
meta:
description = "EquationGroup Malware - file tdi6.sys"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1480,6 +1560,7 @@ rule EquationGroup_EquationDrug_tdi6 {
rule EquationGroup_modifyAuthentication_Implant {
meta:
description = "EquationGroup Malware - file modifyAuthentication_Implant.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1497,6 +1578,7 @@ rule EquationGroup_modifyAuthentication_Implant {
rule EquationGroup_ntfltmgr {
meta:
description = "EquationGroup Malware - file ntfltmgr.sys"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1513,6 +1595,7 @@ rule EquationGroup_ntfltmgr {
rule EquationGroup_DXGHLP16 {
meta:
description = "EquationGroup Malware - file DXGHLP16.SYS"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1534,6 +1617,7 @@ rule EquationGroup_DXGHLP16 {
rule EquationGroup_EquationDrug_msgkd {
meta:
description = "EquationGroup Malware - file msgkd.ex_"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1548,6 +1632,7 @@ rule EquationGroup_EquationDrug_msgkd {
rule EquationGroup_RunAsChild_Lp {
meta:
description = "EquationGroup Malware - file RunAsChild_Lp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1563,6 +1648,7 @@ rule EquationGroup_RunAsChild_Lp {
rule EquationGroup_EquationDrug_Gen_6 {
meta:
description = "EquationGroup Malware - file PC_Level3_dll_x64"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1578,6 +1664,7 @@ rule EquationGroup_EquationDrug_Gen_6 {
rule EquationGroup_PC_Level3_http_flav_dll_x64 {
meta:
description = "EquationGroup Malware - file PC_Level3_http_flav_dll_x64"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1610,6 +1697,7 @@ rule EquationGroup_EquationDrug_Gen_3 {
rule EquationGroup_GetAdmin_Lp {
meta:
description = "EquationGroup Malware - file GetAdmin_Lp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1624,6 +1712,7 @@ rule EquationGroup_GetAdmin_Lp {
rule EquationGroup_ModifyGroup_Lp {
meta:
description = "EquationGroup Malware - file ModifyGroup_Lp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1638,6 +1727,7 @@ rule EquationGroup_ModifyGroup_Lp {
rule EquationGroup_pwdump_Lp {
meta:
description = "EquationGroup Malware - file pwdump_Lp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1651,6 +1741,7 @@ rule EquationGroup_pwdump_Lp {
rule EquationGroup_EventLogEdit_Implant {
meta:
description = "EquationGroup Malware - file EventLogEdit_Implant.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1666,6 +1757,7 @@ rule EquationGroup_EventLogEdit_Implant {
rule EquationGroup_PortMap_Lp {
meta:
description = "EquationGroup Malware - file PortMap_Lp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1681,6 +1773,7 @@ rule EquationGroup_PortMap_Lp {
rule EquationGroup_ProcessOptions_Lp {
meta:
description = "EquationGroup Malware - file ProcessOptions_Lp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1694,6 +1787,7 @@ rule EquationGroup_ProcessOptions_Lp {
rule EquationGroup_PassFreely_Lp {
meta:
description = "EquationGroup Malware - file PassFreely_Lp.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
@ -1711,6 +1805,7 @@ rule EquationGroup_PassFreely_Lp {
rule EquationGroup_EquationDrug_Gen_1 {
meta:
description = "EquationGroup Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"

199
yara/apt_eqgrp_apr17.yar
View File

File diff suppressed because it is too large Load Diff

2
yara/apt_eternalblue_non_wannacry.yar
View File

@ -12,6 +12,7 @@
rule Backdoor_Redosdru_Jun17 {
meta:
description = "Detects malware Redosdru - file systemHome.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/OOB3mH"
date = "2017-06-04"
@ -36,6 +37,7 @@ rule Backdoor_Redosdru_Jun17 {
rule Backdoor_Nitol_Jun17 {
meta:
description = "Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/OOB3mH"
date = "2017-06-04"

1
yara/apt_fakem_backdoor.yar
View File

@ -8,6 +8,7 @@
rule FakeM_Generic {
meta:
description = "Detects FakeM malware samples"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
date = "2016-01-25"

2
yara/apt_fancybear_dnc.yar
View File

@ -10,6 +10,7 @@
rule COZY_FANCY_BEAR_Hunt {
meta:
description = "Detects Cozy Bear / Fancy Bear C2 Server IPs"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
date = "2016-06-14"
@ -28,6 +29,7 @@ rule COZY_FANCY_BEAR_Hunt {
rule COZY_FANCY_BEAR_pagemgr_Hunt {
meta:
description = "Detects a pagemgr.exe as mentioned in the CrowdStrike report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
date = "2016-06-14"

1
yara/apt_fancybear_osxagent.yar
View File

@ -1,6 +1,7 @@
rule MAL_OSX_FancyBear_Agent_Jul18_1 {
meta:
description = "Detects FancyBear Agent for OSX"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://twitter.com/DrunkBinary/status/1018448895054098432"
date = "2018-07-15"

3
yara/apt_fidelis_phishing_plain_sight.yar
View File

@ -2,7 +2,8 @@
rule Fidelis_Advisory_Purchase_Order_pps {
meta:
description = "Detects a string found in a malicious document named Purchase_Order.pps"
author = "Florian Roth"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/ZjJyti"
date = "2015-06-09"
strings:

14
yara/apt_fin7.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule APT_FIN7_Strings_Aug18_1 {
meta:
description = "Detects strings from FIN7 report in August 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -30,6 +31,7 @@ rule APT_FIN7_Strings_Aug18_1 {
rule APT_FIN7_Sample_Aug18_2 {
meta:
description = "Detects FIN7 malware sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -47,6 +49,7 @@ rule APT_FIN7_Sample_Aug18_2 {
rule APT_FIN7_MalDoc_Aug18_1 {
meta:
description = "Detects malicious Doc from FIN7 campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -60,6 +63,7 @@ rule APT_FIN7_MalDoc_Aug18_1 {
rule APT_FIN7_Sample_Aug18_1 {
meta:
description = "Detects FIN7 samples mentioned in FireEye report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -87,6 +91,7 @@ rule APT_FIN7_Sample_Aug18_1 {
rule APT_FIN7_EXE_Sample_Aug18_1 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -100,6 +105,7 @@ rule APT_FIN7_EXE_Sample_Aug18_1 {
rule APT_FIN7_EXE_Sample_Aug18_2 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -114,6 +120,7 @@ rule APT_FIN7_EXE_Sample_Aug18_2 {
rule APT_FIN7_EXE_Sample_Aug18_3 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -128,6 +135,7 @@ rule APT_FIN7_EXE_Sample_Aug18_3 {
rule APT_FIN7_EXE_Sample_Aug18_4 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -143,6 +151,7 @@ rule APT_FIN7_EXE_Sample_Aug18_4 {
rule APT_FIN7_EXE_Sample_Aug18_5 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -158,6 +167,7 @@ rule APT_FIN7_EXE_Sample_Aug18_5 {
rule APT_FIN7_EXE_Sample_Aug18_6 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -181,6 +191,7 @@ rule APT_FIN7_EXE_Sample_Aug18_6 {
rule APT_FIN7_EXE_Sample_Aug18_7 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -195,6 +206,7 @@ rule APT_FIN7_EXE_Sample_Aug18_7 {
rule APT_FIN7_EXE_Sample_Aug18_8 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -208,6 +220,7 @@ rule APT_FIN7_EXE_Sample_Aug18_8 {
rule APT_FIN7_EXE_Sample_Aug18_10 {
meta:
description = "Detects sample from FIN7 report in August 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"
@ -225,6 +238,7 @@ rule APT_FIN7_EXE_Sample_Aug18_10 {
rule APT_FIN7_Sample_EXE_Aug18_1 {
meta:
description = "Detects FIN7 Sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
date = "2018-08-01"

1
yara/apt_fin7_backdoor.yar
View File

@ -12,6 +12,7 @@
rule FIN7_Dropper_Aug17 {
meta:
description = "Detects Word Dropper from Proofpoint FIN7 Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor"
date = "2017-08-04"

4
yara/apt_foudre.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule Foudre_Backdoor_1 {
meta:
description = "Detects Foudre Backdoor"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/Nbqbt6"
date = "2017-08-01"
@ -29,6 +30,7 @@ rule Foudre_Backdoor_1 {
rule Foudre_Backdoor_Dropper_1 {
meta:
description = "Detects Foudre Backdoor"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/Nbqbt6"
date = "2017-08-01"
@ -49,6 +51,7 @@ rule Foudre_Backdoor_Dropper_1 {
rule Foudre_Backdoor_Component_1 {
meta:
description = "Detects Foudre Backdoor"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/Nbqbt6"
date = "2017-08-01"
@ -70,6 +73,7 @@ rule Foudre_Backdoor_Component_1 {
rule Foudre_Backdoor_SFX {
meta:
description = "Detects Foudre Backdoor SFX"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/Nbqbt6"
date = "2017-08-01"

9
yara/apt_four_element_sword.yar
View File

@ -11,6 +11,7 @@
rule FourElementSword_Config_File {
meta:
description = "Detects FourElementSword Malware - file f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
@ -28,6 +29,7 @@ rule FourElementSword_Config_File {
rule FourElementSword_T9000 {
meta:
description = "Detects FourElementSword Malware - file 5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
@ -47,6 +49,7 @@ rule FourElementSword_T9000 {
rule FourElementSword_32DLL {
meta:
description = "Detects FourElementSword Malware - file 7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
@ -64,6 +67,7 @@ rule FourElementSword_32DLL {
rule FourElementSword_Keyainst_EXE {
meta:
description = "Detects FourElementSword Malware - file cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
@ -81,6 +85,7 @@ rule FourElementSword_Keyainst_EXE {
rule FourElementSword_ElevateDLL_2 {
meta:
description = "Detects FourElementSword Malware - file 9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
@ -96,6 +101,7 @@ rule FourElementSword_ElevateDLL_2 {
rule FourElementSword_fslapi_dll_gui {
meta:
description = "Detects FourElementSword Malware - file 2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
@ -111,6 +117,7 @@ rule FourElementSword_fslapi_dll_gui {
rule FourElementSword_PowerShell_Start {
meta:
description = "Detects FourElementSword Malware - file 9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
@ -125,6 +132,7 @@ rule FourElementSword_PowerShell_Start {
rule FourElementSword_ResN32DLL {
meta:
description = "Detects FourElementSword Malware - file bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"
@ -142,6 +150,7 @@ rule FourElementSword_ResN32DLL {
rule FourElementSword_ElevateDLL {
meta:
description = "Detects FourElementSword Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/"
date = "2016-04-18"

4
yara/apt_freemilk.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule FreeMilk_APT_Mal_1 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
@ -39,6 +40,7 @@ rule FreeMilk_APT_Mal_1 {
rule FreeMilk_APT_Mal_2 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
@ -58,6 +60,7 @@ rule FreeMilk_APT_Mal_2 {
rule FreeMilk_APT_Mal_3 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"
@ -74,6 +77,7 @@ rule FreeMilk_APT_Mal_3 {
rule FreeMilk_APT_Mal_4 {
meta:
description = "Detects malware from FreeMilk campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
date = "2017-10-05"

2
yara/apt_furtim.yar
View File

@ -8,6 +8,7 @@
rule Furtim_nativeDLL {
meta:
description = "Detects Furtim malware - file native.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "MISP 3971"
date = "2016-06-13"
@ -32,6 +33,7 @@ rule Furtim_nativeDLL {
rule Furtim_Parent_1 {
meta:
description = "Detects Furtim Parent Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://sentinelone.com/blogs/sfg-furtims-parent/"
date = "2016-07-16"

22
yara/apt_fvey_shadowbroker_dec16.yar
View File

@ -72,6 +72,7 @@ rule FVEY_ShadowBroker_Auct_Dez16_Strings {
rule FVEY_ShadowBroker_violetspirit {
meta:
description = "Auto-generated rule - file violetspirit.README"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -85,6 +86,7 @@ rule FVEY_ShadowBroker_violetspirit {
rule FVEY_ShadowBroker_gr_gr {
meta:
description = "Auto-generated rule - file gr.notes"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -98,6 +100,7 @@ rule FVEY_ShadowBroker_gr_gr {
rule FVEY_ShadowBroker_user_tool_yellowspirit {
meta:
description = "Auto-generated rule - file user.tool.yellowspirit.COMMON"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -112,6 +115,7 @@ rule FVEY_ShadowBroker_user_tool_yellowspirit {
rule FVEY_ShadowBroker_eleganteagle_opscript_1_0_0 {
meta:
description = "Auto-generated rule - file eleganteagle_opscript.1.0.0.6"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -125,6 +129,7 @@ rule FVEY_ShadowBroker_eleganteagle_opscript_1_0_0 {
rule FVEY_ShadowBroker_opscript {
meta:
description = "Auto-generated rule - file opscript.se"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -138,6 +143,7 @@ rule FVEY_ShadowBroker_opscript {
rule FVEY_ShadowBroker_user_tool_shentysdelight {
meta:
description = "Auto-generated rule - file user.tool.shentysdelight.COMMON"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -151,6 +157,7 @@ rule FVEY_ShadowBroker_user_tool_shentysdelight {
rule FVEY_ShadowBroker_user_tool_epichero {
meta:
description = "Auto-generated rule - file user.tool.epichero.COMMON"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -165,6 +172,7 @@ rule FVEY_ShadowBroker_user_tool_epichero {
rule FVEY_ShadowBroker_user_tool {
meta:
description = "Auto-generated rule - file user.tool.elatedmonkey"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -178,6 +186,7 @@ rule FVEY_ShadowBroker_user_tool {
rule FVEY_ShadowBroker_user_tool_dubmoat {
meta:
description = "Auto-generated rule - file user.tool.dubmoat.COMMON"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -192,6 +201,7 @@ rule FVEY_ShadowBroker_user_tool_dubmoat {
rule FVEY_ShadowBroker_strifeworld {
meta:
description = "Auto-generated rule - file strifeworld.1"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -206,6 +216,7 @@ rule FVEY_ShadowBroker_strifeworld {
rule FVEY_ShadowBroker_user_tool_pork {
meta:
description = "Auto-generated rule - file user.tool.pork.COMMON"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -221,6 +232,7 @@ rule FVEY_ShadowBroker_user_tool_pork {
rule FVEY_ShadowBroker_user_tool_ebbisland {
meta:
description = "Auto-generated rule - file user.tool.ebbisland.COMMON"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -235,6 +247,7 @@ rule FVEY_ShadowBroker_user_tool_ebbisland {
rule FVEY_ShadowBroker_user_tool_stoicsurgeon {
meta:
description = "Auto-generated rule - file user.tool.stoicsurgeon.COMMON"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -248,6 +261,7 @@ rule FVEY_ShadowBroker_user_tool_stoicsurgeon {
rule FVEY_ShadowBroker_user_tool_elgingamble {
meta:
description = "Auto-generated rule - file user.tool.elgingamble.COMMON"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -261,6 +275,7 @@ rule FVEY_ShadowBroker_user_tool_elgingamble {
rule FVEY_ShadowBroker_README_cup {
meta:
description = "Auto-generated rule - file README.cup.NOPEN"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -275,6 +290,7 @@ rule FVEY_ShadowBroker_README_cup {
rule FVEY_ShadowBroker_nopen_oneshot {
meta:
description = "Auto-generated rule - file oneshot.example"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -288,6 +304,7 @@ rule FVEY_ShadowBroker_nopen_oneshot {
rule FVEY_ShadowBroker_user_tool_earlyshovel {
meta:
description = "Auto-generated rule - file user.tool.earlyshovel.COMMON"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -301,6 +318,7 @@ rule FVEY_ShadowBroker_user_tool_earlyshovel {
rule FVEY_ShadowBroker_user_tool_envisioncollision {
meta:
description = "Auto-generated rule - file user.tool.envisioncollision.COMMON"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -319,6 +337,7 @@ rule FVEY_ShadowBroker_user_tool_envisioncollision {
rule FVEY_ShadowBroker_Gen_Readme1 {
meta:
description = "Auto-generated rule"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -335,6 +354,7 @@ rule FVEY_ShadowBroker_Gen_Readme1 {
rule FVEY_ShadowBroker_Gen_Readme2 {
meta:
description = "Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -350,6 +370,7 @@ rule FVEY_ShadowBroker_Gen_Readme2 {
rule FVEY_ShadowBroker_Gen_Readme3 {
meta:
description = "Auto-generated rule"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
@ -370,6 +391,7 @@ rule FVEY_ShadowBroker_Gen_Readme3 {
rule FVEY_ShadowBroker_Gen_Readme4 {
meta:
description = "Auto-generated rule - from files violetspirit.README, violetspirit.README"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"

1
yara/apt_fvey_shadowbroker_jan17.yar
View File

@ -10,6 +10,7 @@
rule FVEY_ShadowBrokers_Jan17_Screen_Strings {
meta:
description = "Detects strings derived from the ShadowBroker's leak of Windows tools/exploits"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message7/"
date = "2017-01-08"

3
yara/apt_ghostdragon_gh0st_rat.yar
View File

@ -8,6 +8,7 @@
rule GhostDragon_Gh0stRAT {
meta:
description = "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.cylance.com/the-ghost-dragon"
date = "2016-04-23"
@ -53,6 +54,7 @@ rule GhostDragon_Gh0stRAT {
rule GhostDragon_Gh0stRAT_Sample2 {
meta:
description = "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.cylance.com/the-ghost-dragon"
date = "2016-04-23"
@ -74,6 +76,7 @@ rule GhostDragon_Gh0stRAT_Sample2 {
rule GhostDragon_Gh0stRAT_Sample3 {
meta:
description = "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.cylance.com/the-ghost-dragon"
date = "2016-04-23"

1
yara/apt_glassRAT.yar
View File

@ -44,6 +44,7 @@ rule glassRAT
rule GlassRAT_Generic {
meta:
description = "Detects GlassRAT Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blogs.rsa.com/peering-into-glassrat/"
date = "2015-11-23"

5
yara/apt_golddragon.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule GoldDragon_malware_Feb18_1 {
meta:
description = "Detects malware from Gold Dragon report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
date = "2018-02-03"
@ -29,6 +30,7 @@ rule GoldDragon_malware_Feb18_1 {
rule GoldDragon_Aux_File {
meta:
description = "Detects export from Gold Dragon - February 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
date = "2018-02-03"
@ -42,6 +44,7 @@ rule GoldDragon_Aux_File {
rule GoldDragon_Ghost419_RAT {
meta:
description = "Detects Ghost419 RAT from Gold Dragon report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/rW1yvZ"
date = "2018-02-03"
@ -82,6 +85,7 @@ rule GoldDragon_Ghost419_RAT {
rule GoldDragon_RunningRAT {
meta:
description = "Detects Running RAT from Gold Dragon report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/rW1yvZ"
date = "2018-02-03"
@ -122,6 +126,7 @@ rule GoldDragon_RunningRAT {
rule GoldDragon_RunnignRAT {
meta:
description = "Detects Running RAT malware from Gold Dragon report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/rW1yvZ"
date = "2018-02-03"

6
yara/apt_greenbug.yar
View File

@ -12,6 +12,7 @@ import "pe"
rule Greenbug_Malware_1 {
meta:
description = "Detects Malware from Greenbug Incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
@ -26,6 +27,7 @@ rule Greenbug_Malware_1 {
rule Greenbug_Malware_2 {
meta:
description = "Detects Backdoor from Greenbug Incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
@ -52,6 +54,7 @@ rule Greenbug_Malware_2 {
rule Greenbug_Malware_3 {
meta:
description = "Detects Backdoor from Greenbug Incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
@ -69,6 +72,7 @@ rule Greenbug_Malware_3 {
rule Greenbug_Malware_4 {
meta:
description = "Detects ISMDoor Backdoor"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
@ -95,6 +99,7 @@ rule Greenbug_Malware_4 {
rule Greenbug_Malware_5 {
meta:
description = "Auto-generated rule"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
@ -130,6 +135,7 @@ rule Greenbug_Malware_5 {
rule Greenbug_Malware_Nov17_1 {
meta:
description = "Detects Greenbug Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.clearskysec.com/greenbug/"
date = "2017-11-26"

1
yara/apt_grizzlybear_uscert.yar
View File

@ -842,6 +842,7 @@ rule IMPLANT_4_v3_AlternativeRule {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
comment = "Alternative rule - not based on the original samples but samples on which the original rule matched"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "US CERT Grizzly Steppe Report"
date = "2017-02-12"

3
yara/apt_hackingteam_rules.yar
View File

@ -10,6 +10,7 @@
rule bin_ndisk {
meta:
description = "Hacking Team Disclosure Sample - file ndisk.sys"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/"
date = "2015-07-07"
@ -31,6 +32,7 @@ rule bin_ndisk {
rule Hackingteam_Elevator_DLL {
meta:
description = "Hacking Team Disclosure Sample - file elevator.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://t.co/EG0qtVcKLh"
date = "2015-07-07"
@ -54,6 +56,7 @@ rule Hackingteam_Elevator_DLL {
rule HackingTeam_Elevator_EXE {
meta:
description = "Hacking Team Disclosure Sample - file elevator.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Hacking Team Disclosure elevator.c"
date = "2015-07-07"

2
yara/apt_hidden_cobra.yar
View File

@ -85,6 +85,7 @@ import "pe"
rule APT_HiddenCobra_GhostSecret_1 {
meta:
description = "Detects Hidden Cobra Sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
date = "2018-08-11"
@ -99,6 +100,7 @@ rule APT_HiddenCobra_GhostSecret_1 {
rule APT_HiddenCobra_GhostSecret_2 {
meta:
description = "Detects Hidden Cobra Sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
date = "2018-08-11"

1
yara/apt_hiddencobra_bankshot.yar
View File

@ -11,6 +11,7 @@
rule HiddenCobra_BANKSHOT_Gen {
meta:
description = "Detects Hidden Cobra BANKSHOT trojan"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
date = "2017-12-26"

1
yara/apt_icefog.yar
View File

@ -11,6 +11,7 @@
rule IceFog_Malware_Feb18_1 {
meta:
description = "Detects IceFog malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://twitter.com/ClearskySec/status/968104465818669057"
date = "2018-02-26"

2
yara/apt_indetectables_rat.yar
View File

@ -8,6 +8,7 @@
rule Indetectables_RAT {
meta:
description = "Detects Indetectables RAT based on strings found in research by Paul Rascagneres & Ronan Mouchoux"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/"
date = "2015-10-01"
@ -33,6 +34,7 @@ rule Indetectables_RAT {
rule BergSilva_Malware {
meta:
description = "Detects a malware from the same author as the Indetectables RAT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
date = "2015-10-01"
super_rule = 1

6
yara/apt_industroyer.yar
View File

@ -12,6 +12,7 @@
rule Industroyer_Malware_1 {
meta:
description = "Detects Industroyer related malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
@ -37,6 +38,7 @@ rule Industroyer_Malware_1 {
rule Industroyer_Malware_2 {
meta:
description = "Detects Industroyer related malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
@ -75,6 +77,7 @@ rule Industroyer_Malware_2 {
rule Industroyer_Portscan_3 {
meta:
description = "Detects Industroyer related custom port scaner"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
@ -96,6 +99,7 @@ rule Industroyer_Portscan_3 {
rule Industroyer_Portscan_3_Output {
meta:
description = "Detects Industroyer related custom port scaner output file"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
@ -109,6 +113,7 @@ rule Industroyer_Portscan_3_Output {
rule Industroyer_Malware_4 {
meta:
description = "Detects Industroyer related malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
@ -126,6 +131,7 @@ rule Industroyer_Malware_4 {
rule Industroyer_Malware_5 {
meta:
description = "Detects Industroyer related malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"

3
yara/apt_irongate.yar
View File

@ -10,6 +10,7 @@
rule IronGate_APT_Step7ProSim_Gen {
meta:
description = "Detects IronGate APT Malware - Step7ProSim DLL"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/Mr6M2J"
date = "2016-06-04"
@ -40,6 +41,7 @@ rule IronGate_APT_Step7ProSim_Gen {
rule IronGate_PyInstaller_update_EXE {
meta:
description = "Detects a PyInstaller file named update.exe as mentioned in the IronGate APT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/Mr6M2J"
date = "2016-06-04"
@ -63,6 +65,7 @@ rule IronGate_PyInstaller_update_EXE {
rule Nirsoft_NetResView {
meta:
description = "Detects NirSoft NetResView - utility that displays the list of all network resources"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/Mr6M2J"
date = "2016-06-04"

7
yara/apt_irontiger.yar
View File

@ -10,6 +10,7 @@
rule IronPanda_DNSTunClient {
meta:
description = "Iron Panda malware DnsTunClient - file named.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
@ -36,6 +37,7 @@ rule IronPanda_DNSTunClient {
rule IronPanda_Malware1 {
meta:
description = "Iron Panda Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
@ -53,6 +55,7 @@ rule IronPanda_Malware1 {
rule IronPanda_Webshell_JSP {
meta:
description = "Iron Panda Malware JSP"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
@ -68,6 +71,7 @@ rule IronPanda_Webshell_JSP {
rule IronPanda_Malware_Htran {
meta:
description = "Iron Panda Malware Htran"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
@ -96,6 +100,7 @@ rule IronPanda_Malware_Htran {
rule IronPanda_Malware2 {
meta:
description = "Iron Panda Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
@ -113,6 +118,7 @@ rule IronPanda_Malware2 {
rule IronPanda_Malware3 {
meta:
description = "Iron Panda Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
@ -131,6 +137,7 @@ rule IronPanda_Malware3 {
rule IronPanda_Malware4 {
meta:
description = "Iron Panda Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"

4
yara/apt_kaspersky_duqu2.yar
View File

@ -59,6 +59,7 @@ rule apt_duqu2_drivers {
rule Duqu2_Generic1 {
meta:
description = "Kaspersky APT Report - Duqu2 Sample - Generic Rule"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
@ -88,6 +89,7 @@ rule Duqu2_Generic1 {
rule APT_Kaspersky_Duqu2_procexp {
meta:
description = "Kaspersky APT Report - Duqu2 Sample - Malicious MSI"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
@ -110,6 +112,7 @@ rule APT_Kaspersky_Duqu2_procexp {
rule APT_Kaspersky_Duqu2_SamsungPrint {
meta:
description = "Kaspersky APT Report - Duqu2 Sample - file 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
@ -128,6 +131,7 @@ rule APT_Kaspersky_Duqu2_SamsungPrint {
rule APT_Kaspersky_Duqu2_msi3_32 {
meta:
description = "Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"

1
yara/apt_keyboys.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule KeyBoys_malware_1 {
meta:
description = "Detects Keyboys malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html"
date = "2017-11-02"

1
yara/apt_keylogger_cn.yar
View File

@ -8,6 +8,7 @@
rule Keylogger_CN_APT {
meta:
description = "Keylogger - generic rule for a Chinese variant"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
date = "2016-03-07"
score = 75

3
yara/apt_khrat.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule KHRAT_Malware {
meta:
description = "Detects an Imphash of KHRAT malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/"
date = "2017-08-31"
@ -24,6 +25,7 @@ rule KHRAT_Malware {
rule MAL_KHRAT_script {
meta:
description = "Rule derived from KHRAT script but can match on other malicious scripts as well"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/"
date = "2017-08-31"
@ -39,6 +41,7 @@ rule MAL_KHRAT_script {
rule MAL_KHRAT_scritplet {
meta:
description = "Rule derived from KHRAT scriptlet"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/"
date = "2017-08-31"

3
yara/apt_korplug_fast.yar
View File

@ -1,7 +1,8 @@
rule Korplug_FAST {
meta:
description = "Rule to detect Korplug/PlugX FAST variant"
author = "Florian Roth"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
date = "2015-08-20"
hash = "c437465db42268332543fbf6fd6a560ca010f19e0fd56562fb83fb704824b371"
strings:

18
yara/apt_laudanum_webshells.yar
View File

@ -8,6 +8,7 @@
rule asp_file {
meta:
description = "Laudanum Injector Tools - file file.asp"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -26,6 +27,7 @@ rule asp_file {
rule php_killnc {
meta:
description = "Laudanum Injector Tools - file killnc.php"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -43,6 +45,7 @@ rule php_killnc {
rule asp_shell {
meta:
description = "Laudanum Injector Tools - file shell.asp"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -62,6 +65,7 @@ rule asp_shell {
rule settings {
meta:
description = "Laudanum Injector Tools - file settings.php"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -77,6 +81,7 @@ rule settings {
rule asp_proxy {
meta:
description = "Laudanum Injector Tools - file proxy.asp"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -95,6 +100,7 @@ rule asp_proxy {
rule cfm_shell {
meta:
description = "Laudanum Injector Tools - file shell.cfm"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -110,6 +116,7 @@ rule cfm_shell {
rule aspx_shell {
meta:
description = "Laudanum Injector Tools - file shell.aspx"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -126,6 +133,7 @@ rule aspx_shell {
rule php_shell {
meta:
description = "Laudanum Injector Tools - file shell.php"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -142,6 +150,7 @@ rule php_shell {
rule php_reverse_shell {
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -157,6 +166,7 @@ rule php_reverse_shell {
rule php_dns {
meta:
description = "Laudanum Injector Tools - file dns.php"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -173,6 +183,7 @@ rule php_dns {
rule WEB_INF_web {
meta:
description = "Laudanum Injector Tools - file web.xml"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -187,6 +198,7 @@ rule WEB_INF_web {
rule jsp_cmd {
meta:
description = "Laudanum Injector Tools - file cmd.war"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -204,6 +216,7 @@ rule jsp_cmd {
rule laudanum {
meta:
description = "Laudanum Injector Tools - file laudanum.php"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -218,6 +231,7 @@ rule laudanum {
rule php_file {
meta:
description = "Laudanum Injector Tools - file file.php"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -234,6 +248,7 @@ rule php_file {
rule warfiles_cmd {
meta:
description = "Laudanum Injector Tools - file cmd.jsp"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -250,6 +265,7 @@ rule warfiles_cmd {
rule asp_dns {
meta:
description = "Laudanum Injector Tools - file dns.asp"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -266,6 +282,7 @@ rule asp_dns {
rule php_reverse_shell_2 {
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
@ -280,6 +297,7 @@ rule php_reverse_shell_2 {
rule Laudanum_Tools_Generic {
meta:
description = "Laudanum Injector Tools"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"

4
yara/apt_lazarus_applejeus.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule APT_Lazarus_Aug18_Downloader_1 {
meta:
description = "Detects Lazarus Group Malware Downloadery"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/operation-applejeus/87553/"
date = "2018-08-24"
@ -37,6 +38,7 @@ rule APT_Lazarus_Aug18_Downloader_1 {
rule APT_Lazarus_Aug18_1 {
meta:
description = "Detects Lazarus Group Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/operation-applejeus/87553/"
date = "2018-08-24"
@ -58,6 +60,7 @@ rule APT_Lazarus_Aug18_1 {
rule APT_Lazarus_Aug18_2 {
meta:
description = "Detects Lazarus Group Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/operation-applejeus/87553/"
date = "2018-08-24"
@ -77,6 +80,7 @@ rule APT_Lazarus_Aug18_2 {
rule APT_FallChill_RC4_Keys {
meta:
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
description = "Detects FallChill RC4 keys"
reference = "https://securelist.com/operation-applejeus/87553/"

4
yara/apt_lazarus_dec17.yar
View File

@ -12,6 +12,7 @@
rule Lazarus_Dec_17_1 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"
@ -29,6 +30,7 @@ rule Lazarus_Dec_17_1 {
rule Lazarus_Dec_17_2 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"
@ -49,6 +51,7 @@ rule Lazarus_Dec_17_2 {
rule Lazarus_Dec_17_4 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017ithumb.js"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"
@ -63,6 +66,7 @@ rule Lazarus_Dec_17_4 {
rule Lazarus_Dec_17_5 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"

3
yara/apt_lazarus_jun18.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule APT_Lazarus_Dropper_Jun18_1 {
meta:
description = "Detects Lazarus Group Dropper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://twitter.com/DrunkBinary/status/1002587521073721346"
date = "2018-06-01"
@ -32,6 +33,7 @@ rule APT_Lazarus_Dropper_Jun18_1 {
rule APT_Lazarus_RAT_Jun18_1 {
meta:
description = "Detects Lazarus Group RAT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://twitter.com/DrunkBinary/status/1002587521073721346"
date = "2018-06-01"
@ -64,6 +66,7 @@ rule APT_Lazarus_RAT_Jun18_1 {
rule APT_Lazarus_RAT_Jun18_2 {
meta:
description = "Detects Lazarus Group RAT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://twitter.com/DrunkBinary/status/1002587521073721346"
date = "2018-06-01"

4
yara/apt_leviathan.yar
View File

@ -11,6 +11,7 @@
rule SeDLL_Javascript_Decryptor {
meta:
description = "Detects SeDll - DLL is used for decrypting and executing another JavaScript backdoor such as Orz"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/MZ7dRg"
date = "2017-10-18"
@ -31,6 +32,7 @@ rule SeDLL_Javascript_Decryptor {
rule Leviathan_CobaltStrike_Sample_1 {
meta:
description = "Detects Cobalt Strike sample from Leviathan report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/MZ7dRg"
date = "2017-10-18"
@ -53,6 +55,7 @@ rule Leviathan_CobaltStrike_Sample_1 {
rule MockDll_Gen {
meta:
description = "Detects MockDll - regsvr DLL loader"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/MZ7dRg"
date = "2017-10-18"
@ -71,6 +74,7 @@ rule MockDll_Gen {
rule VBScript_Favicon_File {
meta:
description = "VBScript cloaked as Favicon file used in Leviathan incident"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/MZ7dRg"
date = "2017-10-18"

1
yara/apt_lotusblossom_elise.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule Elise_Jan18_1 {
meta:
description = "Detects Elise malware samples - fake Norton Security NavShExt.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://twitter.com/blu3_team/status/955971742329135105"
date = "2018-01-24"

2
yara/apt_magichound.yar
View File

@ -10,6 +10,7 @@
rule APT_PupyRAT_PY {
meta:
description = "Detects Pupy RAT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations"
date = "2017-02-17"
@ -31,6 +32,7 @@ rule APT_PupyRAT_PY {
rule APT_MagicHound_MalMacro {
meta:
description = "Detects malicious macro / powershell in Office document"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations"
date = "2017-02-17"

6
yara/apt_microcin.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule Microcin_Sample_1 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"
@ -36,6 +37,7 @@ rule Microcin_Sample_1 {
rule Microcin_Sample_2 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"
@ -50,6 +52,7 @@ rule Microcin_Sample_2 {
rule Microcin_Sample_3 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"
@ -64,6 +67,7 @@ rule Microcin_Sample_3 {
rule Microcin_Sample_4 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"
@ -84,6 +88,7 @@ rule Microcin_Sample_4 {
rule Microcin_Sample_5 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"
@ -102,6 +107,7 @@ rule Microcin_Sample_5 {
rule Microcin_Sample_6 {
meta:
description = "Malware sample mentioned in Microcin technical report by Kaspersky"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
date = "2017-09-26"

5
yara/apt_middle_east_talosreport.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule ME_Campaign_Malware_1 {
meta:
description = "Detects malware from Middle Eastern campaign reported by Talos"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
date = "2018-02-07"
@ -26,6 +27,7 @@ rule ME_Campaign_Malware_1 {
rule ME_Campaign_Malware_2 {
meta:
description = "Detects malware from Middle Eastern campaign reported by Talos"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
date = "2018-02-07"
@ -46,6 +48,7 @@ rule ME_Campaign_Malware_2 {
rule ME_Campaign_Malware_3 {
meta:
description = "Detects malware from Middle Eastern campaign reported by Talos"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
date = "2018-02-07"
@ -62,6 +65,7 @@ rule ME_Campaign_Malware_3 {
rule ME_Campaign_Malware_4 {
meta:
description = "Detects malware from Middle Eastern campaign reported by Talos"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
date = "2018-02-07"
@ -73,6 +77,7 @@ rule ME_Campaign_Malware_4 {
rule ME_Campaign_Malware_5 {
meta:
description = "Detects malware from Middle Eastern campaign reported by Talos"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
date = "2018-02-07"

1
yara/apt_miniasp.yar
View File

@ -2,6 +2,7 @@
rule APT_Malware_CommentCrew_MiniASP {
meta:
description = "CommentCrew Malware MiniASP APT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "VT Analysis"
date = "2015-06-03"

4
yara/apt_minidionis.yar
View File

@ -10,6 +10,7 @@
rule MiniDionis_readerView {
meta:
description = "MiniDionis Malware - file readerView.exe / adobe.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
date = "2015-07-20"
@ -37,6 +38,7 @@ rule MiniDionis_readerView {
rule Malicious_SFX1 {
meta:
description = "SFX with voicemail content"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
date = "2015-07-20"
@ -51,6 +53,7 @@ rule Malicious_SFX1 {
rule Malicious_SFX2 {
meta:
description = "SFX with adobe.exe content"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
date = "2015-07-20"
@ -66,6 +69,7 @@ rule Malicious_SFX2 {
rule MiniDionis_VBS_Dropped {
meta:
description = "Dropped File - 1.vbs"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/"
date = "2015-07-21"

6
yara/apt_molerats_jul17.yar
View File

@ -11,6 +11,7 @@
rule Molerats_Jul17_Sample_1 {
meta:
description = "Detects Molerats sample - July 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
date = "2017-07-07"
@ -25,6 +26,7 @@ rule Molerats_Jul17_Sample_1 {
rule Molerats_Jul17_Sample_2 {
meta:
description = "Detects Molerats sample - July 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
date = "2017-07-07"
@ -40,6 +42,7 @@ rule Molerats_Jul17_Sample_2 {
rule Molerats_Jul17_Sample_3 {
meta:
description = "Detects Molerats sample - July 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
date = "2017-07-07"
@ -55,6 +58,7 @@ rule Molerats_Jul17_Sample_3 {
rule Molerats_Jul17_Sample_4 {
meta:
description = "Detects Molerats sample - July 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
date = "2017-07-07"
@ -70,6 +74,7 @@ rule Molerats_Jul17_Sample_4 {
rule Molerats_Jul17_Sample_5 {
meta:
description = "Detects Molerats sample - July 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
date = "2017-07-07"
@ -87,6 +92,7 @@ rule Molerats_Jul17_Sample_5 {
rule Molerats_Jul17_Sample_Dropper {
meta:
description = "Detects Molerats sample dropper SFX - July 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
date = "2017-07-07"

2
yara/apt_monsoon.yar
View File

@ -14,6 +14,7 @@ import "pe"
rule Monsoon_APT_Malware_1 {
meta:
description = "Detects malware from Monsoon APT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2"
date = "2017-09-08"
@ -35,6 +36,7 @@ rule Monsoon_APT_Malware_1 {
rule Monsoon_APT_Malware_2 {
meta:
description = "Detects malware from Monsoon APT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2"
date = "2017-09-08"

3
yara/apt_muddywater.yar
View File

@ -10,6 +10,7 @@
rule MuddyWater_Mal_Doc_Feb18_1 {
meta:
description = "Detects malicious document used by MuddyWater"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research - TI2T"
date = "2018-02-26"
@ -26,6 +27,7 @@ rule MuddyWater_Mal_Doc_Feb18_1 {
rule MuddyWater_Mal_Doc_Feb18_2 {
meta:
description = "Detects malicious document used by MuddyWater"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research - TI2T"
date = "2018-02-26"
@ -44,6 +46,7 @@ rule MuddyWater_Mal_Doc_Feb18_2 {
rule MAL_MuddyWater_DroppedTask_Jun18_1 {
meta:
description = "Detects a dropped Windows task as used by MudyWater in June 2018"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://app.any.run/tasks/719c94eb-0a00-47cc-b583-ad4f9e25ebdb"
date = "2018-06-12"

1
yara/apt_naikon.yar
View File

@ -2,6 +2,7 @@
rule Backdoor_Naikon_APT_Sample1 {
meta:
description = "Detects backdoors related to the Naikon APT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/7vHyvh"
date = "2015-05-14"

6
yara/apt_nanocore_rat.yar
View File

@ -8,6 +8,7 @@
rule Nanocore_RAT_Gen_1 {
meta:
description = "Detetcs the Nanocore RAT and similar malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
date = "2016-04-22"
@ -26,6 +27,7 @@ rule Nanocore_RAT_Gen_1 {
rule Nanocore_RAT_Gen_2 {
meta:
description = "Detetcs the Nanocore RAT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 100
reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
@ -42,6 +44,7 @@ rule Nanocore_RAT_Gen_2 {
rule Nanocore_RAT_Sample_1 {
meta:
description = "Detetcs a certain Nanocore RAT sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 75
reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
@ -58,6 +61,7 @@ rule Nanocore_RAT_Sample_1 {
rule Nanocore_RAT_Sample_2 {
meta:
description = "Detetcs a certain Nanocore RAT sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 75
reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
@ -84,6 +88,7 @@ rule Nanocore_RAT_Sample_2 {
rule Nanocore_RAT_Feb18_1 {
meta:
description = "Detects Nanocore RAT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research - T2T"
date = "2018-02-19"
@ -107,6 +112,7 @@ rule Nanocore_RAT_Feb18_1 {
rule Nanocore_RAT_Feb18_2 {
meta:
description = "Detects Nanocore RAT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research - T2T"
date = "2018-02-19"

3
yara/apt_netwire_rat.yar
View File

@ -11,6 +11,7 @@
rule Susp_Indicators_EXE {
meta:
description = "Detects packed NullSoft Inst EXE with characteristics of NetWire RAT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://pastebin.com/8qaiyPxs"
date = "2018-01-05"
@ -30,6 +31,7 @@ rule Susp_Indicators_EXE {
rule Suspicious_BAT_Strings {
meta:
description = "Detects a string also used in Netwire RAT auxilliary"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 60
reference = "https://pastebin.com/8qaiyPxs"
@ -43,6 +45,7 @@ rule Suspicious_BAT_Strings {
rule Malicious_BAT_Strings {
meta:
description = "Detects a string also used in Netwire RAT auxilliary"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 60
reference = "https://pastebin.com/8qaiyPxs"

8
yara/apt_oilrig.yar
View File

@ -12,6 +12,7 @@ import "pe"
rule OilRig_Malware_Campaign_Gen1 {
meta:
description = "Detects malware from OilRig Campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
@ -67,6 +68,7 @@ rule OilRig_Malware_Campaign_Gen1 {
rule OilRig_Malware_Campaign_Mal1 {
meta:
description = "Detects malware from OilRig Campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
@ -84,6 +86,7 @@ rule OilRig_Malware_Campaign_Mal1 {
rule OilRig_Malware_Campaign_Gen2 {
meta:
description = "Detects malware from OilRig Campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
@ -106,6 +109,7 @@ rule OilRig_Malware_Campaign_Gen2 {
rule OilRig_Malware_Campaign_Gen3 {
meta:
description = "Detects malware from OilRig Campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
@ -123,6 +127,7 @@ rule OilRig_Malware_Campaign_Gen3 {
rule OilRig_Malware_Campaign_Mal2 {
meta:
description = "Detects malware from OilRig Campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
@ -141,6 +146,7 @@ rule OilRig_Malware_Campaign_Mal2 {
rule OilRig_Campaign_Reconnaissance {
meta:
description = "Detects Windows discovery commands - known from OilRig Campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
@ -156,6 +162,7 @@ rule OilRig_Campaign_Reconnaissance {
rule OilRig_Malware_Campaign_Mal3 {
meta:
description = "Detects malware from OilRig Campaign"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
@ -171,6 +178,7 @@ rule OilRig_Malware_Campaign_Mal3 {
rule OilRig_Malware_Nov17_13 {
meta:
description = ""
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://twitter.com/ClearskySec/status/933280188733018113"
date = "2017-11-22"

4
yara/apt_oilrig_oct17.yar
View File

@ -11,6 +11,7 @@
rule OilRig_Strings_Oct17 {
meta:
description = "Detects strings from OilRig malware and malicious scripts"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/"
date = "2017-10-18"
@ -39,6 +40,7 @@ import "pe"
rule OilRig_ISMAgent_Campaign_Samples1 {
meta:
description = "Detects OilRig malware from Unit 42 report in October 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/JQVfFP"
date = "2017-10-18"
@ -58,6 +60,7 @@ rule OilRig_ISMAgent_Campaign_Samples1 {
rule OilRig_ISMAgent_Campaign_Samples2 {
meta:
description = "Detects OilRig malware from Unit 42 report in October 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/JQVfFP"
date = "2017-10-18"
@ -77,6 +80,7 @@ rule OilRig_ISMAgent_Campaign_Samples2 {
rule OilRig_ISMAgent_Campaign_Samples3 {
meta:
description = "Detects OilRig malware from Unit 42 report in October 2017"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/JQVfFP"
date = "2017-10-18"

1
yara/apt_oilrig_rgdoor.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule OilRig_RGDoor_Gen1 {
meta:
description = "Detects RGDoor backdoor used by OilRig group"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"
date = "2018-01-27"

2
yara/apt_olympic_destroyer.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule Destructive_Ransomware_Gen1 {
meta:
description = "Detects destructive malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
date = "2018-02-12"
@ -28,6 +29,7 @@ rule Destructive_Ransomware_Gen1 {
rule OlympicDestroyer_Gen2 {
meta:
description = "Detects Olympic Destroyer malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
date = "2018-02-12"

1
yara/apt_onhat_proxy.yar
View File

@ -8,6 +8,7 @@
rule ONHAT_Proxy_Hacktool {
meta:
description = "Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/p32Ozf"
date = "2016-05-12"

2
yara/apt_op_cleaver.yar
View File

@ -302,6 +302,7 @@ rule OPCLEAVER_Parviz_Developer
description = "Parviz developer known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 70
strings:
@ -316,6 +317,7 @@ rule OPCLEAVER_CCProxy_Config
description = "CCProxy config known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 70
strings:

16
yara/apt_op_cloudhopper.yar
View File

@ -10,6 +10,7 @@
rule OpCloudHopper_Malware_1 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -26,6 +27,7 @@ rule OpCloudHopper_Malware_1 {
rule OpCloudHopper_Malware_2 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -54,6 +56,7 @@ rule OpCloudHopper_Malware_2 {
rule OpCloudHopper_Malware_3 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -74,6 +77,7 @@ rule OpCloudHopper_Malware_3 {
rule OpCloudHopper_Dropper_1 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -87,6 +91,7 @@ rule OpCloudHopper_Dropper_1 {
rule OpCloudHopper_Malware_4 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -102,6 +107,7 @@ rule OpCloudHopper_Malware_4 {
rule OpCloudHopper_Malware_5 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -122,6 +128,7 @@ rule OpCloudHopper_Malware_5 {
rule OpCloudHopper_Malware_6 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -138,6 +145,7 @@ rule OpCloudHopper_Malware_6 {
rule OpCloudHopper_Malware_7 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -152,6 +160,7 @@ rule OpCloudHopper_Malware_7 {
rule OpCloudHopper_Malware_8 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -171,6 +180,7 @@ rule OpCloudHopper_Malware_8 {
rule OpCloudHopper_Malware_9 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -185,6 +195,7 @@ rule OpCloudHopper_Malware_9 {
rule OpCloudHopper_Malware_10 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -200,6 +211,7 @@ rule OpCloudHopper_Malware_10 {
rule OpCloudHopper_Malware_11 {
meta:
description = "Detects malware from Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-03"
@ -225,6 +237,7 @@ rule OpCloudHopper_Malware_11 {
rule OpCloudHopper_lockdown {
meta:
description = "Tools related to Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
@ -239,6 +252,7 @@ rule OpCloudHopper_lockdown {
rule OpCloudHopper_WindowXarBot {
meta:
description = "Malware related to Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
date = "2017-04-07"
@ -251,6 +265,7 @@ rule OpCloudHopper_WindowXarBot {
rule OpCloudHopper_WmiDLL_inMemory {
meta:
description = "Malware related to Operation Cloud Hopper - Page 25"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
date = "2017-04-07"
@ -263,6 +278,7 @@ rule OpCloudHopper_WmiDLL_inMemory {
rule VBS_WMIExec_Tool_Apr17_1 {
meta:
description = "Tools related to Operation Cloud Hopper"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"

3
yara/apt_op_honeybee.yar
View File

@ -13,6 +13,7 @@ import "pe"
rule HoneyBee_Dropper_MalDoc {
meta:
description = "Detects samples from Operation Honeybee"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/JAHZVL"
date = "2018-03-03"
@ -35,6 +36,7 @@ rule HoneyBee_Dropper_MalDoc {
rule OpHoneybee_Malware_1 {
meta:
description = "Detects malware from Operation Honeybee"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/JAHZVL"
date = "2018-03-03"
@ -69,6 +71,7 @@ rule OpHoneybee_Malware_1 {
rule OpHoneybee_MaoCheng_Dropper {
meta:
description = "Detects MaoCheng dropper from Operation Honeybee"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/JAHZVL"
date = "2018-03-03"

8
yara/apt_passcv.yar
View File

@ -10,6 +10,7 @@
rule PassCV_Sabre_Malware_1 {
meta:
description = "PassCV Malware mentioned in Cylance Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
date = "2016-10-20"
@ -34,6 +35,7 @@ rule PassCV_Sabre_Malware_1 {
rule PassCV_Sabre_Malware_Signing_Cert {
meta:
description = "PassCV Malware mentioned in Cylance Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
date = "2016-10-20"
@ -55,6 +57,7 @@ rule PassCV_Sabre_Malware_Signing_Cert {
rule PassCV_Sabre_Malware_2 {
meta:
description = "PassCV Malware mentioned in Cylance Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
date = "2016-10-20"
@ -78,6 +81,7 @@ rule PassCV_Sabre_Malware_2 {
rule PassCV_Sabre_Malware_Excalibur_1 {
meta:
description = "PassCV Malware mentioned in Cylance Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
date = "2016-10-20"
@ -99,6 +103,7 @@ rule PassCV_Sabre_Malware_Excalibur_1 {
rule PassCV_Sabre_Malware_3 {
meta:
description = "PassCV Malware mentioned in Cylance Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
date = "2016-10-20"
@ -116,6 +121,7 @@ rule PassCV_Sabre_Malware_3 {
rule PassCV_Sabre_Malware_4 {
meta:
description = "PassCV Malware mentioned in Cylance Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
date = "2016-10-20"
@ -131,6 +137,7 @@ rule PassCV_Sabre_Malware_4 {
rule PassCV_Sabre_Tool_NTScan {
meta:
description = "PassCV Malware mentioned in Cylance Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
date = "2016-10-20"
@ -147,6 +154,7 @@ rule PassCV_Sabre_Tool_NTScan {
rule PassCV_Sabre_Malware_5 {
meta:
description = "PassCV Malware mentioned in Cylance Report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
date = "2016-10-20"

7
yara/apt_passthehashtoolkit.yar
View File

@ -10,6 +10,7 @@
rule whosthere_alt {
meta:
description = "Auto-generated rule - file whosthere-alt.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
@ -31,6 +32,7 @@ rule whosthere_alt {
rule iam_alt_iam_alt {
meta:
description = "Auto-generated rule - file iam-alt.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
@ -52,6 +54,7 @@ rule iam_alt_iam_alt {
rule genhash_genhash {
meta:
description = "Auto-generated rule - file genhash.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
@ -70,6 +73,7 @@ rule genhash_genhash {
rule iam_iamdll {
meta:
description = "Auto-generated rule - file iamdll.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
@ -86,6 +90,7 @@ rule iam_iamdll {
rule iam_iam {
meta:
description = "Auto-generated rule - file iam.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
@ -106,6 +111,7 @@ rule iam_iam {
rule whosthere_alt_pth {
meta:
description = "Auto-generated rule - file pth.dll"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"
@ -124,6 +130,7 @@ rule whosthere_alt_pth {
rule whosthere {
meta:
description = "Auto-generated rule - file whosthere.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
date = "2015-07-10"

1
yara/apt_plead_downloader.yar
View File

@ -1,6 +1,7 @@
rule PLEAD_Downloader_Jun18_1 {
meta:
description = "Detects PLEAD Downloader"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html"
date = "2018-06-16"

7
yara/apt_poisonivy.yar
View File

@ -2,6 +2,7 @@
rule PoisonIvy_Sample_APT {
meta:
description = "Detects a PoisonIvy APT malware group"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
@ -22,6 +23,7 @@ rule PoisonIvy_Sample_APT {
rule PoisonIvy_Sample_APT_2 {
meta:
description = "Detects a PoisonIvy Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
@ -56,6 +58,7 @@ rule PoisonIvy_Sample_APT_2 {
rule PoisonIvy_Sample_APT_3 {
meta:
description = "Detects a PoisonIvy Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
@ -73,6 +76,7 @@ rule PoisonIvy_Sample_APT_3 {
rule PoisonIvy_Sample_APT_4 {
meta:
description = "Detects a PoisonIvy Sample APT"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
@ -95,6 +99,7 @@ rule PoisonIvy_Sample_APT_4 {
rule PoisonIvy_Sample_5 {
meta:
description = "Detects PoisonIvy RAT sample set"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
@ -116,6 +121,7 @@ condition:
rule PoisonIvy_Sample_6 {
meta:
description = "Detects PoisonIvy RAT sample set"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 70
reference = "VT Analysis"
@ -154,6 +160,7 @@ rule PoisonIvy_Sample_6 {
rule PoisonIvy_Sample_7 {
meta:
description = "Detects PoisonIvy RAT sample set"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
score = 70
reference = "VT Analysis"

1
yara/apt_poisonivy_gen3.yar
View File

@ -2,6 +2,7 @@
rule PoisonIvy_Generic_3 {
meta:
description = "PoisonIvy RAT Generic Rule"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
date = "2015-05-14"
hash = "e1cbdf740785f97c93a0a7a01ef2614be792afcd"

Some files were not shown because too many files have changed in this diff Show More