qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/README.MD

33 lines
1.4 KiB
Plaintext
Raw Normal View History

init
2024-02-05 06:12:47 -08:00
# DefenderYara
![DefenderYara](https://socialify.git.ci/roadwy/DefenderYara/image?description=1&font=Inter&forks=1&issues=1&language=1&owner=1&pattern=Plus&stargazers=1&theme=Light)
## Description
Extracted Yara rules from Defender mpavbase.vdm and mpasbase.Enjoy it.
```YARA
rule HackTool_Win64_CobaltStrike_A_{
meta:
description = "HackTool:Win64/CobaltStrike.A!!CobaltStrike.A64,SIGNATURE_TYPE_ARHSTR_EXT,1f 00 1f 00 07 00 00 01 00 "
strings :
$a_03_0 = {00 01 00 01 00 02 90 01 02 00 02 00 01 00 02 90 00 } //01 00
$a_03_1 = {69 68 69 68 69 6b 90 01 02 69 6b 69 68 69 6b 90 00 } //01 00
$a_03_2 = {2e 2f 2e 2f 2e 2c 90 01 02 2e 2c 2e 2f 2e 2c 90 00 } //01 00
$a_01_3 = {4c 63 c2 4d 03 c0 42 0f 10 04 c0 48 8b c1 f3 0f 7f 01 c3 } //0a 00
$a_03_4 = {48 ff c0 48 3d 00 10 00 00 7c f1 90 09 04 00 80 90 01 02 90 03 01 01 2e 69 48 90 00 } //0a 00
$a_01_5 = {0f af d1 44 8b c8 b8 1f 85 eb 51 f7 e2 41 8b c1 44 8b c2 33 d2 41 c1 e8 05 41 f7 f0 } //0a 00
$a_03_6 = {b9 00 00 10 00 e8 90 02 3c ba 7f 66 04 40 8b c8 48 8b 90 02 08 89 08 48 8b 4b 20 90 00 } //00 00
condition:
any of ($a_*)
}
```
The condition maby is wrong。
## Reference
- https://github.com/commial/experiments/tree/master/windows-defender
- https://github.com/HackingLZ/ExtractedDefender
- https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/malware-naming?view=o365-worldwide