Elastic Security provides signature-based YARA rules within the Elastic Endpoint product. These rules are used to detect and prevent emerging threats within Linux, Windows, and macOS systems. Our repository holds over 1,000 YARA rules that are used every day to stop a wide range of threats including: Trojans, ransomware, cryptominers, attack penetration frameworks, and more.
These YARA rules can be leveraged by the community and for different use cases such as:
- Network Defending
- Threat Hunting
- Incident Response/Forensics
- Alert Triage / Enrichment
- Malware Analysis
Our team welcomes your contributions to our YARA rules! Before contributing, please familiarize yourself with this repository, and read our contribution guide that provides an overview and our principles behind our rules. We are currently taking requests for false positives and requests seeking coverage for trending malware families.
These rules are licensed under the Elastic License v2. All rules have been designed to be used in the context of the Elastic Endpoint within the Elastic Security application.
Want to know more about how our signatures are developed? Check out a blog overview explaining more details into our typical signature workflow. If you’d like to report a false positive or missing coverage for a malware family, please create a GitHub issue and check if there's an existing one first. Need help with our YARA rules? Post an issue or ask away in our Security Discuss Forum or the #endpoint-security channel within our Slack workspace.