Skip to content

v5.0.0 - Expanded YARA Threat Library

Choose a tag to compare

@OmarRao OmarRao released this 17 Jun 14:53

v5.0.0 - Expanded YARA Threat Library

5 new rule sets added. YARA coverage grows from 6 to 11 rule sets (23 ? 50+ rules).


New Rule Sets

File Threats Covered Rules
clop.yar Cl0p ransomware ransom notes, MOVEit exploitation (CVE-2023-34362), GoAnywhere exploitation (CVE-2023-0669), defence evasion 4
emerging_ransomware.yar Play, Akira, RansomHub, Black Basta, Hunters International - all active 2024-2025 5
lotl_techniques.yar certutil download/encode, mshta remote HTA, regsvr32 Squiblydoo, wscript/cscript abuse, bitsadmin, PowerShell download cradles, rundll32 LOLBAS 7
credential_harvesting.yar Browser credential DB theft (Chrome/Edge/Firefox), DPAPI master key extraction, SAM/NTDS dump, Kerberoasting + AS-REP Roasting, LSA secrets, cloud credential theft (AWS/Azure/GCP/K8s) 6
supply_chain_attacks.yar Dependency confusion (PyPI/npm), CI/CD pipeline tampering (GitHub Actions/GitLab CI/Jenkins), malicious npm postinstall hooks, malicious PyPI setup.py, Git submodule tampering, poisoned Docker images 6

Full YARA Rule Set Inventory (v5.0.0)

File Coverage
ransomware_common.yar Generic ransomware: file extension change, ransom notes, VSS deletion, CryptoAPI
lockbit.yar LockBit 3.0: ransom note format, dropper anti-analysis, defence evasion
blackcat_alphv.yar BlackCat/ALPHV: Rust binary markers, config JSON, ESXi targeting
apt_lateral_movement.yar Mimikatz, LSASS dump, WMI lateral movement, AD recon, scheduled task persistence
data_exfiltration.yar Rclone cloud exfil, cURL upload, FTP staging, 7-Zip data archiving
backup_tampering.yar Veeam service stop, Windows Backup deletion, agent process kill, NAS share deletion
clop.yar Cl0p ransom notes, MOVEit/GoAnywhere exploitation, defence evasion
emerging_ransomware.yar Play, Akira, RansomHub, Black Basta, Hunters International
lotl_techniques.yar certutil, mshta, regsvr32, wscript/cscript, bitsadmin, PowerShell cradles, rundll32
credential_harvesting.yar Browser creds, DPAPI, SAM/NTDS, Kerberoasting, LSA secrets, cloud credentials
supply_chain_attacks.yar Dependency confusion, CI/CD tampering, malicious packages, Docker poisoning

Total: 11 rule sets - 50+ rules