qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4 Commits 1 Branch 0 Tags 65 MiB
YARA 100%
Go to file
roadwy 692b13b2f6 update: update to 20240218 2024-02-26 20:07:32 +08:00
#ALF/TrojanDownloader feat: hex text add comment 2024-02-07 22:09:14 +08:00
#ASRWin32ApiMacroExclusion update: update to 20240218 2024-02-26 20:07:32 +08:00
#PUA/Block update: update to 20240218 2024-02-26 20:07:32 +08:00
#attrmatch_rescan_psif feat: hex text add comment 2024-02-07 22:09:14 +08:00
Adware update: update to 20240218 2024-02-26 20:07:32 +08:00
Backdoor update: update to 20240218 2024-02-26 20:07:32 +08:00
Behavior/Win32/Pryncimoklyn feat: hex text add comment 2024-02-07 22:09:14 +08:00
BrowserModifier update: update to 20240218 2024-02-26 20:07:32 +08:00
Constructor/Win32 feat: hex text add comment 2024-02-07 22:09:14 +08:00
DDoS update: update to 20240218 2024-02-26 20:07:32 +08:00
DoS update: update to 20240218 2024-02-26 20:07:32 +08:00
Exploit update: update to 20240218 2024-02-26 20:07:32 +08:00
HackTool update: update to 20240218 2024-02-26 20:07:32 +08:00
InfrastructureShared update: update to 20240218 2024-02-26 20:07:32 +08:00
Joke/Win32 feat: hex text add comment 2024-02-07 22:09:14 +08:00
Misleading feat: hex text add comment 2024-02-07 22:09:14 +08:00
MonitoringTool update: update to 20240218 2024-02-26 20:07:32 +08:00
PUA update: update to 20240218 2024-02-26 20:07:32 +08:00
PUAMiner/Linux/CoinMiner update: update to 20240218 2024-02-26 20:07:32 +08:00
PWS update: update to 20240218 2024-02-26 20:07:32 +08:00
Program/Win32/CompromisedCert feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_4000002a feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_4000002b feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_4000002c feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_4000002d feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_4000002e feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_40000020 feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_40000021 feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_40000022 feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_40000023 feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_40000024 feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_40000025 feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_40000026 feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_40000027 feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_40000028 feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_40000029 feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_40000031 feat: hex text add comment 2024-02-07 22:09:14 +08:00
PseudoThreat_c0000e58 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c0000ea1 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00008dd update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00008f6 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009c3 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009c4 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009c6 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009c7 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009c8 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009ca update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009cb update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009cc update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009cd update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009ce update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009cf update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009d0 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009d1 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c00009d2 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c000095d update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c000095e update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c0000902 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c0000903 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c0000904 update: update to 20240218 2024-02-26 20:07:32 +08:00
PseudoThreat_c0000905 update: update to 20240218 2024-02-26 20:07:32 +08:00
Ransom update: update to 20240218 2024-02-26 20:07:32 +08:00
RemoteAccess/MSIL/AveMariaRAT feat: hex text add comment 2024-02-07 22:09:14 +08:00
Rogue feat: hex text add comment 2024-02-07 22:09:14 +08:00
SoftwareBundler/Win32 update: update to 20240218 2024-02-26 20:07:32 +08:00
Spammer feat: hex text add comment 2024-02-07 22:09:14 +08:00
Spoofer/Win32/Arpspoof feat: hex text add comment 2024-02-07 22:09:14 +08:00
Spyware feat: hex text add comment 2024-02-07 22:09:14 +08:00
SupportScam feat: hex text add comment 2024-02-07 22:09:14 +08:00
Tool feat: hex text add comment 2024-02-07 22:09:14 +08:00
Trojan update: update to 20240218 2024-02-26 20:07:32 +08:00
TrojanClicker feat: hex text add comment 2024-02-07 22:09:14 +08:00
TrojanDownloader update: update to 20240218 2024-02-26 20:07:32 +08:00
TrojanDropper update: update to 20240218 2024-02-26 20:07:32 +08:00
TrojanProxy feat: hex text add comment 2024-02-07 22:09:14 +08:00
TrojanSpy update: update to 20240218 2024-02-26 20:07:32 +08:00
VirTool update: update to 20240218 2024-02-26 20:07:32 +08:00
Virus update: update to 20240218 2024-02-26 20:07:32 +08:00
Worm update: update to 20240218 2024-02-26 20:07:32 +08:00
README.MD doc: update yara example 2024-02-17 18:42:25 +08:00

README.MD

DefenderYara

DefenderYara

Description

Extracted Yara rules from Defender mpavbase.vdm and mpasbase.Enjoy it.

rule HackTool_Win64_Mimikatz_A{
	meta:
		description = "HackTool:Win64/Mimikatz.A,SIGNATURE_TYPE_PEHSTR_EXT,07 00 06 00 14 00 00 01 00 "
		
	strings :
		$a_80_0 = {41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 46 69 6c 65 5a 69 6c 6c 61 2e 64 61 74 } //AppData\Roaming\FileZilla.dat  01 00 
		$a_80_1 = {41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 69 63 72 6f 73 6f 66 74 5c 43 72 65 64 65 6e 74 69 61 6c } //AppData\Local\Microsoft\Credential  01 00 
		$a_80_2 = {41 70 70 6c 69 63 61 74 69 6f 6e 20 44 61 74 61 5c 54 68 75 6e 64 65 72 62 69 72 64 5c 50 72 6f 66 69 6c 65 73 } //Application Data\Thunderbird\Profiles  01 00 
		$a_80_3 = {41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 54 68 75 6e 64 65 72 62 69 72 64 5c 50 72 6f 66 69 6c 65 73 } //AppData\Roaming\Thunderbird\Profiles  01 00 
		$a_80_4 = {41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4d 6f 7a 69 6c 6c 61 5c 46 69 72 65 66 6f 78 5c 50 72 6f 66 69 6c 65 73 } //AppData\Roaming\Mozilla\Firefox\Profiles  01 00 
		$a_80_5 = {41 70 70 6c 69 63 61 74 69 6f 6e 20 44 61 74 61 5c 4d 6f 7a 69 6c 6c 61 5c 46 69 72 65 66 6f 78 5c 50 72 6f 66 69 6c 65 73 } //Application Data\Mozilla\Firefox\Profiles  01 00 
		$a_80_6 = {4f 75 74 6c 6f 6f 6b 5c 50 72 6f 66 69 6c 65 73 5c 4f 75 74 6c 6f 6f 6b } //Outlook\Profiles\Outlook  01 00 
		$a_80_7 = {53 4f 46 54 57 41 52 45 5c 52 65 61 6c 56 4e 43 5c 57 69 6e 56 4e 43 34 } //SOFTWARE\RealVNC\WinVNC4  01 00 
		$a_80_8 = {41 64 6d 69 6e 50 61 73 73 77 6f 72 64 } //AdminPassword  01 00 
		$a_80_9 = {53 4f 46 54 57 41 52 45 5c 54 69 67 68 74 56 4e 43 5c 53 65 72 76 65 72 } //SOFTWARE\TightVNC\Server  01 00 
		$a_80_10 = {75 76 6e 63 20 62 76 62 61 5c 55 6c 74 72 61 56 4e 43 5c 55 6c 74 72 61 56 4e 43 2e 69 6e 69 } //uvnc bvba\UltraVNC\UltraVNC.ini  01 00 
		$a_80_11 = {41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 4f 70 65 72 61 20 53 74 61 62 6c 65 5c 4c 6f 67 69 6e 20 44 61 74 61 } //AppData\Roaming\Opera Software\Opera Stable\Login Data  01 00 
		$a_80_12 = {53 45 4c 45 43 54 20 68 6f 73 74 6e 61 6d 65 2c 20 65 6e 63 72 79 70 74 65 64 55 73 65 72 6e 61 6d 65 2c 20 65 6e 63 72 79 70 74 65 64 50 61 73 73 77 6f 72 64 20 46 52 4f 4d 20 6d 6f 7a 5f 6c 6f 67 69 6e 73 } //SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins  01 00 
		$a_80_13 = {53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 5c 49 6e 74 65 6c 6c 69 46 6f 72 6d 73 5c 53 74 6f 72 61 67 65 32 } //Software\Microsoft\Internet Explorer\IntelliForms\Storage2  01 00 
		$a_80_14 = {4c 6f 63 61 6c 20 53 65 74 74 69 6e 67 73 5c 41 70 70 6c 69 63 61 74 69 6f 6e 20 44 61 74 61 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 5c 44 65 66 61 75 6c 74 5c } //Local Settings\Application Data\Google\Chrome\User Data\Default\  01 00 
		$a_80_15 = {41 70 70 64 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 5c 44 65 66 61 75 6c 74 5c } //Appdata\Local\Google\Chrome\User Data\Default\  01 00 
		$a_80_16 = {53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 20 4e 54 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 57 69 6e 64 6f 77 73 20 4d 65 73 73 61 67 69 6e 67 20 53 75 62 73 79 73 74 65 6d 5c 50 72 6f 66 69 6c 65 73 5c 4f 75 74 6c 6f 6f 6b } //Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook  01 00 
		$a_80_17 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 20 4e 54 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 50 72 6f 66 69 6c 65 4c 69 73 74 5c } //SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\  01 00 
		$a_80_18 = {41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 57 65 62 43 61 63 68 65 5c 57 65 62 43 61 63 68 65 56 30 31 2e 64 61 74 } //AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat  01 00 
		$a_80_19 = {53 45 4c 45 43 54 20 6f 72 69 67 69 6e 5f 75 72 6c 2c 20 75 73 65 72 6e 61 6d 65 5f 76 61 6c 75 65 2c 20 70 61 73 73 77 6f 72 64 5f 76 61 6c 75 65 20 46 52 4f 4d 20 6c 6f 67 69 6e 73 } //SELECT origin_url, username_value, password_value FROM logins  00 00 
	condition:
		any of ($a_*)
 
}

all of condition are "any of ($a_*)", it's worng. if someone know how to get corret yara condition, PR is welcome.

Parsed HSTR type:

  • SIGNATURE_TYPE_PEHSTR_EXT
  • SIGNATURE_TYPE_ELFHSTR_EXT
  • SIGNATURE_TYPE_MACHOHSTR_EXT
  • SIGNATURE_TYPE_MACROHSTR_EXT
  • SIGNATURE_TYPE_DEXHSTR_EXT
  • SIGNATURE_TYPE_JAVAHSTR_EXT
  • SIGNATURE_TYPE_CMDHSTR_EXT
  • SIGNATURE_TYPE_ARHSTR_EXT
  • SIGNATURE_TYPE_PEHSTR

TODO:

  • SIGNATURE_TYPE_SWFHSTR_EXT
  • SIGNATURE_TYPE_AUTOITHSTR_EXT
  • SIGNATURE_TYPE_INNOHSTR_EXT
  • SIGNATURE_TYPE_MDBHSTR_EXT
  • SIGNATURE_TYPE_DMGHSTR_EXT

Reference