v5.0.0 - Expanded YARA Threat Library
v5.0.0 - Expanded YARA Threat Library
5 new rule sets added. YARA coverage grows from 6 to 11 rule sets (23 ? 50+ rules).
New Rule Sets
| File | Threats Covered | Rules |
|---|---|---|
clop.yar |
Cl0p ransomware ransom notes, MOVEit exploitation (CVE-2023-34362), GoAnywhere exploitation (CVE-2023-0669), defence evasion | 4 |
emerging_ransomware.yar |
Play, Akira, RansomHub, Black Basta, Hunters International - all active 2024-2025 | 5 |
lotl_techniques.yar |
certutil download/encode, mshta remote HTA, regsvr32 Squiblydoo, wscript/cscript abuse, bitsadmin, PowerShell download cradles, rundll32 LOLBAS | 7 |
credential_harvesting.yar |
Browser credential DB theft (Chrome/Edge/Firefox), DPAPI master key extraction, SAM/NTDS dump, Kerberoasting + AS-REP Roasting, LSA secrets, cloud credential theft (AWS/Azure/GCP/K8s) | 6 |
supply_chain_attacks.yar |
Dependency confusion (PyPI/npm), CI/CD pipeline tampering (GitHub Actions/GitLab CI/Jenkins), malicious npm postinstall hooks, malicious PyPI setup.py, Git submodule tampering, poisoned Docker images | 6 |
Full YARA Rule Set Inventory (v5.0.0)
| File | Coverage |
|---|---|
ransomware_common.yar |
Generic ransomware: file extension change, ransom notes, VSS deletion, CryptoAPI |
lockbit.yar |
LockBit 3.0: ransom note format, dropper anti-analysis, defence evasion |
blackcat_alphv.yar |
BlackCat/ALPHV: Rust binary markers, config JSON, ESXi targeting |
apt_lateral_movement.yar |
Mimikatz, LSASS dump, WMI lateral movement, AD recon, scheduled task persistence |
data_exfiltration.yar |
Rclone cloud exfil, cURL upload, FTP staging, 7-Zip data archiving |
backup_tampering.yar |
Veeam service stop, Windows Backup deletion, agent process kill, NAS share deletion |
clop.yar |
Cl0p ransom notes, MOVEit/GoAnywhere exploitation, defence evasion |
emerging_ransomware.yar |
Play, Akira, RansomHub, Black Basta, Hunters International |
lotl_techniques.yar |
certutil, mshta, regsvr32, wscript/cscript, bitsadmin, PowerShell cradles, rundll32 |
credential_harvesting.yar |
Browser creds, DPAPI, SAM/NTDS, Kerberoasting, LSA secrets, cloud credentials |
supply_chain_attacks.yar |
Dependency confusion, CI/CD tampering, malicious packages, Docker poisoning |
Total: 11 rule sets - 50+ rules