|
||
---|---|---|
#ALF/TrojanDownloader | ||
#ASRWin32ApiMacroExclusion | ||
#MpRequestHookwowM | ||
#PUA/Block | ||
#attrmatch_rescan_psif | ||
Adware | ||
Backdoor | ||
Behavior/Win32/Pryncimoklyn | ||
BrowserModifier | ||
Constructor/Win32 | ||
DDoS | ||
DoS | ||
Exploit | ||
HackTool | ||
InfrastructureShared | ||
Joke/Win32 | ||
Misleading | ||
MonitoringTool | ||
PUA | ||
PWS | ||
Program/Win32/CompromisedCert | ||
PseudoThreat_4000002a | ||
PseudoThreat_4000002b | ||
PseudoThreat_4000002c | ||
PseudoThreat_4000002d | ||
PseudoThreat_4000002e | ||
PseudoThreat_40000020 | ||
PseudoThreat_40000021 | ||
PseudoThreat_40000022 | ||
PseudoThreat_40000023 | ||
PseudoThreat_40000024 | ||
PseudoThreat_40000025 | ||
PseudoThreat_40000026 | ||
PseudoThreat_40000027 | ||
PseudoThreat_40000028 | ||
PseudoThreat_40000029 | ||
PseudoThreat_40000031 | ||
PseudoThreat_c0000afc | ||
PseudoThreat_c0000afe | ||
PseudoThreat_c0000b00 | ||
PseudoThreat_c0000b0a | ||
PseudoThreat_c0000b0b | ||
PseudoThreat_c0000b0c | ||
PseudoThreat_c0000b01 | ||
PseudoThreat_c0000b02 | ||
PseudoThreat_c0000b04 | ||
PseudoThreat_c0000b05 | ||
PseudoThreat_c0000b06 | ||
PseudoThreat_c0000b07 | ||
PseudoThreat_c0000b08 | ||
PseudoThreat_c0000b09 | ||
PseudoThreat_c00009d0 | ||
PseudoThreat_c00009d1 | ||
PseudoThreat_c00012a7 | ||
PseudoThreat_c000095a | ||
PseudoThreat_c000095b | ||
PseudoThreat_c0000923 | ||
PseudoThreat_c0000943 | ||
PseudoThreat_c0000958 | ||
PseudoThreat_c0000959 | ||
PseudoThreat_c0001346 | ||
Ransom | ||
RemoteAccess/MSIL/AveMariaRAT | ||
Rogue | ||
SoftwareBundler/Win32 | ||
Spammer | ||
Spoofer/Win32/Arpspoof | ||
Spyware | ||
SupportScam | ||
Tool | ||
Trojan | ||
TrojanClicker | ||
TrojanDownloader | ||
TrojanDropper | ||
TrojanProxy | ||
TrojanSpy | ||
VirTool | ||
Virus | ||
Worm | ||
README.MD |
README.MD
DefenderYara
Description
Extracted Yara rules from Defender mpavbase.vdm and mpasbase.Enjoy it.
rule HackTool_Win64_CobaltStrike_A_{
meta:
description = "HackTool:Win64/CobaltStrike.A!!CobaltStrike.A64,SIGNATURE_TYPE_ARHSTR_EXT,1f 00 1f 00 07 00 00 01 00 "
strings :
$a_03_0 = {00 01 00 01 00 02 90 01 02 00 02 00 01 00 02 90 00 } //01 00
$a_03_1 = {69 68 69 68 69 6b 90 01 02 69 6b 69 68 69 6b 90 00 } //01 00
$a_03_2 = {2e 2f 2e 2f 2e 2c 90 01 02 2e 2c 2e 2f 2e 2c 90 00 } //01 00
$a_01_3 = {4c 63 c2 4d 03 c0 42 0f 10 04 c0 48 8b c1 f3 0f 7f 01 c3 } //0a 00
$a_03_4 = {48 ff c0 48 3d 00 10 00 00 7c f1 90 09 04 00 80 90 01 02 90 03 01 01 2e 69 48 90 00 } //0a 00
$a_01_5 = {0f af d1 44 8b c8 b8 1f 85 eb 51 f7 e2 41 8b c1 44 8b c2 33 d2 41 c1 e8 05 41 f7 f0 } //0a 00
$a_03_6 = {b9 00 00 10 00 e8 90 02 3c ba 7f 66 04 40 8b c8 48 8b 90 02 08 89 08 48 8b 4b 20 90 00 } //00 00
condition:
any of ($a_*)
}
The condition maby is wrong。