minor changes, tags for HIGHVOL rules

Neo23x0 · Dec 2, 2021 · 3dc9621 · 3dc9621
1 parent 7dc5df9
commit 3dc9621
Show file tree

Hide file tree

Showing 8 changed files with 8 additions and 8 deletions.
diff --git a/yara/apt_eqgrp_apr17.yar b/yara/apt_eqgrp_apr17.yar
@@ -2954,7 +2954,7 @@ rule EquationGroup_Toolset_Apr17_ActiveDirectory_Target {
       ( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
 }
 
-rule EquationGroup_Toolset_Apr17_PC_Legacy_dll {
+rule EquationGroup_Toolset_Apr17_PC_Legacy_dll : HIGHVOL {
    meta:
       description = "Detects EquationGroup Tool - April Leak"
       license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"

diff --git a/yara/apt_irontiger_trendmicro.yar b/yara/apt_irontiger_trendmicro.yar
@@ -1,4 +1,4 @@
-rule IronTiger_ASPXSpy
+rule IronTiger_ASPXSpy : HIGHVOL
 {
 	meta:
 		author = "Cyber Safety Solutions, Trend Micro"

diff --git a/yara/gen_exploit_cve_2017_10271_weblogic.yar b/yara/gen_exploit_cve_2017_10271_weblogic.yar
@@ -1,4 +1,4 @@
-rule gen_exploit_CVE_2017_10271_WebLogic
+rule gen_exploit_CVE_2017_10271_WebLogic : HIGHVOL
 {
     meta: 
         description = "Exploit for CVE-2017-10271 (Oracle WebLogic)"

diff --git a/yara/gen_powershell_invocation.yar b/yara/gen_powershell_invocation.yar
@@ -1,5 +1,5 @@
 
-rule PowerShell_Susp_Parameter_Combo {
+rule PowerShell_Susp_Parameter_Combo : HIGHVOL {
    meta:
       description = "Detects PowerShell invocation with suspicious parameters"
       author = "Florian Roth"

diff --git a/yara/gen_suspicious_strings.yar b/yara/gen_suspicious_strings.yar
@@ -101,7 +101,7 @@ rule VBS_dropper_script_Dec17_1 {
       filesize < 600KB and $a1 and 1 of ($s*)
 }
 
-rule SUSP_PDB_Strings_Keylogger_Backdoor {
+rule SUSP_PDB_Strings_Keylogger_Backdoor : HIGHVOL {
    meta:
       description = "Detects PDB strings used in backdoors or keyloggers"
       license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"

diff --git a/yara/pua_cryptocoin_miner.yar b/yara/pua_cryptocoin_miner.yar
@@ -16,7 +16,7 @@ rule CoinMiner_Strings : SCRIPT {
       filesize < 3000KB and 1 of them
 }
 
-rule CoinHive_Javascript_MoneroMiner {
+rule CoinHive_Javascript_MoneroMiner : HIGHVOL {
    meta:
       description = "Detects CoinHive - JavaScript Crypto Miner"
       license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"

diff --git a/yara/pua_xmrig_monero_miner.yar b/yara/pua_xmrig_monero_miner.yar
@@ -8,7 +8,7 @@
 
 /* Rule Set ----------------------------------------------------------------- */
 
-rule XMRIG_Monero_Miner {
+rule XMRIG_Monero_Miner : HIGHVOL {
    meta:
       description = "Detects Monero mining software"
       license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"

diff --git a/yara/thor-hacktools.yar b/yara/thor-hacktools.yar
@@ -3947,7 +3947,7 @@ rule SUSP_Imphash_PassRevealer_PY_EXE {
    strings:
       $fp1 = "Assmann Electronic GmbH" ascii wide
       $fp2 = "Oculus VR" ascii wide
-      $fp3 = "befm8load" ascii /* Corsair software */
+      $fp3 = "efm8load" ascii /* Corsair software */
    condition:
       uint16(0) == 0x5a4d and filesize < 10000KB
       and pe.imphash() == "ed61beebc8d019dd9bec823e2d694afd"