diff --git a/vendor/yara/airbnb_binaryalert.yar b/vendor/yara/airbnb_binaryalert.yar index 00cbc8d7..9011d762 100644 --- a/vendor/yara/airbnb_binaryalert.yar +++ b/vendor/yara/airbnb_binaryalert.yar @@ -15,6 +15,7 @@ private rule MachO { meta: description = "Mach-O binaries" + id = "40526d0e-dede-5001-996c-b12f668a7f53" condition: uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca } @@ -27,6 +28,7 @@ rule hacktool_macos_exploit_cve_5889 description = "http://www.cvedetails.com/cve/cve-2015-5889" reference = "https://www.exploit-db.com/exploits/38371/" author = "@mimeframe" + id = "fbc2c577-6954-51aa-a79f-974f856faf42" strings: $a1 = "/etc/sudoers" fullword wide ascii $a2 = "/etc/crontab" fullword wide ascii @@ -44,6 +46,7 @@ rule hacktool_macos_exploit_tpwn description = "tpwn exploits a null pointer dereference in XNU to escalate privileges to root." reference = "https://www.rapid7.com/db/modules/exploit/osx/local/tpwn" author = "@mimeframe" + id = "bfd4765a-2358-5de7-91e6-9c2e1b70780f" strings: $a1 = "[-] Couldn't find a ROP gadget, aborting." wide ascii $a2 = "leaked kaslr slide," wide ascii @@ -59,6 +62,7 @@ rule hacktool_macos_juuso_keychaindump description = "For reading OS X keychain passwords as root." reference = "https://github.com/juuso/keychaindump" author = "@mimeframe" + id = "196c6132-b538-5055-a4cb-e2d46723d06e" strings: $a1 = "[-] Too many candidate keys to fit in memory" wide ascii $a2 = "[-] Could not allocate memory for key search" wide ascii @@ -76,6 +80,7 @@ rule hacktool_macos_keylogger_b4rsby_swiftlog description = "Dirty user level command line keylogger hacked together in Swift." reference = "https://github.com/b4rsby/SwiftLog" author = "@mimeframe" + id = "7f42e787-a723-5e20-99a3-54e1ffa6ccda" strings: $a1 = "You need to enable the keylogger in the System Prefrences" wide ascii condition: @@ -88,6 +93,7 @@ rule hacktool_macos_keylogger_caseyscarborough description = "A simple and easy to use keylogger for macOS." reference = "https://github.com/caseyscarborough/keylogger" author = "@mimeframe" + id = "191efd22-3f9e-57da-992f-3cc2ab6ecdfa" strings: $a1 = "/var/log/keystroke.log" wide ascii $a2 = "ERROR: Unable to create event tap." wide ascii @@ -103,6 +109,7 @@ rule hacktool_macos_keylogger_dannvix description = "A simple keylogger for macOS." reference = "https://github.com/dannvix/keylogger-osx" author = "@mimeframe" + id = "175e0f9f-fd57-5306-807f-911031d7537d" strings: $a1 = "/var/log/keystroke.log" wide ascii $a2 = "" wide ascii @@ -117,6 +124,7 @@ rule hacktool_macos_keylogger_eldeveloper_keystats description = "A simple keylogger for macOS." reference = "https://github.com/ElDeveloper/keystats" author = "@mimeframe" + id = "468bf492-2fab-5658-9744-8967a52457e3" strings: $a1 = "YVBKeyLoggerPerishedNotification" wide ascii $a2 = "YVBKeyLoggerPerishedByLackOfResponseNotification" wide ascii @@ -131,6 +139,7 @@ rule hacktool_macos_keylogger_giacomolaw description = "A simple keylogger for macOS." reference = "https://github.com/GiacomoLaw/Keylogger" author = "@mimeframe" + id = "4a9e4fe6-5f28-5f42-9726-ced687055038" strings: $a1 = "ERROR: Unable to access keystroke log file. Please make sure you have the correct permissions." wide ascii $a2 = "ERROR: Unable to create event tap." wide ascii @@ -145,6 +154,7 @@ rule hacktool_macos_keylogger_logkext description = "LogKext is an open source keylogger for Mac OS X, a product of FSB software." reference = "https://github.com/SlEePlEs5/logKext" author = "@mimeframe" + id = "849cbd43-288b-55de-b031-09322e49784c" strings: // daemon $a1 = "logKextPassKey" wide ascii @@ -171,6 +181,7 @@ rule hacktool_macos_keylogger_roxlu_ofxkeylogger description = "ofxKeylogger keylogger." reference = "https://github.com/roxlu/ofxKeylogger" author = "@mimeframe" + id = "622d7da4-25da-56a4-9e60-a225c2eaf0a1" strings: $a1 = "keylogger_init" wide ascii $a2 = "install_keylogger_hook function not found in dll." wide ascii @@ -185,6 +196,7 @@ rule hacktool_macos_keylogger_skreweverything_swift description = "It is a simple and easy to use keylogger for macOS written in Swift." reference = "https://github.com/SkrewEverything/Swift-Keylogger" author = "@mimeframe" + id = "eed3b9bb-e8e4-53b6-8d17-8aa989d8a2fc" strings: $a1 = "Can't create directories!" wide ascii $a2 = "Can't create manager" wide ascii @@ -201,6 +213,7 @@ rule hacktool_macos_macpmem description = "MacPmem enables read/write access to physical memory on macOS. Can be used by CSIRT teams and attackers." reference = "https://github.com/google/rekall/tree/master/tools/osx/MacPmem" author = "@mimeframe" + id = "26ee217b-a3f3-5742-801e-cdc0684dfd99" strings: // osxpmem $a1 = "%s/MacPmem.kext" wide ascii @@ -222,6 +235,7 @@ rule hacktool_macos_manwhoami_icloudcontacts description = "Pulls iCloud Contacts for an account. No dependencies. No user notification." reference = "https://github.com/manwhoami/iCloudContacts" author = "@mimeframe" + id = "7c1f218e-c790-50ce-9408-d20747abde2e" strings: $a1 = "https://setup.icloud.com/setup/authenticate/" wide ascii $a2 = "https://p04-contacts.icloud.com/" wide ascii @@ -237,6 +251,7 @@ rule hacktool_macos_manwhoami_mmetokendecrypt description = "This program decrypts / extracts all authorization tokens on macOS / OS X / OSX." reference = "https://github.com/manwhoami/MMeTokenDecrypt" author = "@mimeframe" + id = "8792bf45-9c92-53cf-a288-e38fe2a19642" strings: $a1 = "security find-generic-password -ws 'iCloud'" wide ascii $a2 = "ERROR getting iCloud Decryption Key" wide ascii @@ -253,6 +268,7 @@ rule hacktool_macos_manwhoami_osxchromedecrypt description = "Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X." reference = "https://github.com/manwhoami/OSXChromeDecrypt" author = "@mimeframe" + id = "1cae37d5-2995-55f6-b821-d89334f11b9a" strings: $a1 = "Credit Cards for Chrome Profile" wide ascii $a2 = "Passwords for Chrome Profile" wide ascii @@ -270,6 +286,7 @@ rule hacktool_macos_n0fate_chainbreaker description = "chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner." reference = "https://github.com/n0fate/chainbreaker" author = "@mimeframe" + id = "6b04050d-006d-56c0-91b4-8dda1c1ff3fa" strings: $a1 = "[!] Private Key Table is not available" wide ascii $a2 = "[!] Public Key Table is not available" wide ascii @@ -284,6 +301,7 @@ rule hacktool_macos_ptoomey3_keychain_dumper description = "Keychain dumping utility." reference = "https://github.com/ptoomey3/Keychain-Dumper" author = "@mimeframe" + id = "7be4b137-619d-5d19-ac31-5c0148a3a77a" strings: $a1 = "keychain_dumper" wide ascii $a2 = "/var/Keychains/keychain-2.db" wide ascii @@ -302,6 +320,7 @@ rule hacktool_multi_bloodhound_owned description = "Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains" reference = "https://github.com/porterhau5/BloodHound-Owned/" author = "@fusionrace" + id = "cffa3b8a-cf55-531b-aa67-ca8a8841bdec" strings: $s1 = "Find all owned Domain Admins" fullword ascii wide $s2 = "Find Shortest Path from owned node to Domain Admins" fullword ascii wide @@ -323,6 +342,7 @@ rule hacktool_multi_jtesta_ssh_mitm description = "intercepts ssh connections to capture credentials" reference = "https://github.com/jtesta/ssh-mitm" author = "@fusionrace" + id = "c44ca655-71f8-50d6-b0ec-9a85434d780f" strings: $a1 = "INTERCEPTED PASSWORD:" wide ascii $a2 = "more sshbuf problems." wide ascii @@ -336,6 +356,7 @@ rule hacktool_multi_masscan description = "masscan is a performant port scanner, it produces results similar to nmap" reference = "https://github.com/robertdavidgraham/masscan" author = "@mimeframe" + id = "7eac2470-b3e3-530a-a123-594776eb1c77" strings: $a1 = "EHLO masscan" fullword wide ascii $a2 = "User-Agent: masscan/" wide ascii @@ -354,6 +375,7 @@ rule hacktool_multi_ncc_ABPTTS description = "Allows for TCP tunneling over HTTP" reference = "https://github.com/nccgroup/ABPTTS" author = "@mimeframe" + id = "c1efad63-0b43-5314-8cbb-08b8b04a3365" strings: $s1 = "---===[[[ A Black Path Toward The Sun ]]]===---" ascii wide $s2 = "https://vulnerableserver/EStatus/" ascii wide @@ -374,6 +396,7 @@ rule hacktool_multi_ntlmrelayx description = "https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/" reference = "https://github.com/CoreSecurity/impacket/blob/master/examples/ntlmrelayx.py" author = "@mimeframe" + id = "e638e9d0-404d-5b48-910c-6b3cd0845b78" strings: $a1 = "Started interactive SMB client shell via TCP" wide ascii $a2 = "Service Installed.. CONNECT!" wide ascii @@ -390,6 +413,7 @@ rule hacktool_multi_pyrasite_py description = "A tool for injecting arbitrary code into running Python processes." reference = "https://github.com/lmacken/pyrasite" author = "@fusionrace" + id = "92cef916-5919-562f-ae5a-06a1e79a8197" strings: $s1 = "WARNING: ptrace is disabled. Injection will not work." fullword ascii wide $s2 = "A payload that connects to a given host:port and receives commands" fullword ascii wide @@ -415,6 +439,7 @@ rule hacktool_multi_responder_py description = "Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server" reference = "http://www.c0d3xpl0it.com/2017/02/compromising-domain-admin-in-internal-pentest.html" author = "@fusionrace" + id = "dbe2f8e0-21fa-55f4-90e1-c6bc2b5403f2" strings: $s1 = "Poison all requests with another IP address than Responder's one." fullword ascii wide $s2 = "Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned." fullword ascii wide @@ -435,6 +460,7 @@ rule hacktool_windows_hot_potato description = "https://foxglovesecurity.com/2016/01/16/hot-potato/" reference = "https://github.com/foxglovesec/Potato" author = "@mimeframe" + id = "68799fd0-0aac-5c4e-a76c-594d48a5765d" strings: $a1 = "Parsing initial NTLM auth..." wide ascii $a2 = "Got PROPFIND for /test..." wide ascii @@ -451,6 +477,7 @@ rule hacktool_windows_moyix_creddump description = "creddump is a python tool to extract credentials and secrets from Windows registry hives." reference = "https://github.com/moyix/creddump" author = "@mimeframe" + id = "b3147c06-a1a5-53f2-b1f8-78d6474f9bbe" strings: $a1 = "!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%" wide ascii $a2 = "0123456789012345678901234567890123456789" wide ascii @@ -467,6 +494,7 @@ rule hacktool_windows_ncc_wmicmd : FILE { description = "Command shell wrapper for WMI" reference = "https://github.com/nccgroup/WMIcmd" author = "@mimeframe" + id = "16f616e2-120c-5067-b083-957f49cb0baa" strings: $a1 = "Need to specify a username, domain and password for non local connections" wide ascii $a2 = "WS-Management is running on the remote host" wide ascii @@ -486,6 +514,7 @@ rule hacktool_windows_rdp_cmd_delivery description = "Delivers a text payload via RDP (rubber ducky)" reference = "https://github.com/nopernik/mytools/blob/master/rdp-cmd-delivery.sh" author = "@fusionrace" + id = "1b00805a-9ea5-5af8-95f8-fd0db0d6cc9f" strings: $s1 = "Usage: rdp-cmd-delivery.sh OPTIONS" ascii wide $s2 = "[--tofile 'c:\\test.txt' local.ps1 #will copy contents of local.ps1 to c:\\test.txt" ascii wide @@ -501,6 +530,7 @@ rule hacktool_windows_wmi_implant description = "A PowerShell based tool that is designed to act like a RAT" reference = "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" author = "@fusionrace" + id = "b32996b2-1706-5af5-ad81-f73d5899c70c" strings: $s1 = "This really isn't applicable unless you are using WMImplant interactively." fullword ascii wide $s2 = "What command do you want to run on the remote system? >" fullword ascii wide @@ -529,6 +559,7 @@ rule hacktool_windows_mimikatz_copywrite md5_4 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c" md5_5 = "09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca" md5_6 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669" + id = "6fe945de-6458-57ee-8a59-54ea85e56c91" strings: $s1 = "Kiwi en C" fullword ascii wide $s2 = "Benjamin DELPY `gentilkiwi`" fullword ascii wide @@ -551,6 +582,7 @@ rule hacktool_windows_mimikatz_errors author = "@fusionrace" md5_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669" md5_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c" + id = "5b0c12f0-b182-5c24-bde5-2bb3bc2a5a8f" strings: $s1 = "[ERROR] [LSA] Symbols" fullword ascii wide $s2 = "[ERROR] [CRYPTO] Acquire keys" fullword ascii wide @@ -568,6 +600,7 @@ rule hacktool_windows_mimikatz_files author = "@fusionrace" md5_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669" md5_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c" + id = "a83b4d1e-23d1-5a58-9973-3c251c9c7c34" strings: $s1 = "kiwifilter.log" fullword wide $s2 = "kiwissp.log" fullword wide @@ -589,6 +622,7 @@ rule hacktool_windows_mimikatz_modules md5_3 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669" md5_4 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c" md5_5 = "0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143" + id = "c614db69-7e55-5442-b25d-d31ba5df4ca8" strings: $s1 = "mimilib" fullword ascii wide $s2 = "mimidrv" fullword ascii wide @@ -610,6 +644,7 @@ rule hacktool_windows_mimikatz_sekurlsa author = "@fusionrace" SHA256_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669" SHA256_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c" + id = "a7eb069a-1f6f-5e54-9f34-83aa65fa345e" strings: $s1 = "dpapisrv!g_MasterKeyCacheList" fullword ascii wide $s2 = "lsasrv!g_MasterKeyCacheList" fullword ascii wide diff --git a/yara/apt_apt28_drovorub.yar b/yara/apt_apt28_drovorub.yar index f61c5dc1..d1567083 100644 --- a/yara/apt_apt28_drovorub.yar +++ b/yara/apt_apt28_drovorub.yar @@ -5,6 +5,7 @@ reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/" date = "2020-08-13" score = 50 + id = "cab3f67e-e239-5aa6-b691-8c6e2c620b5a" strings: $mw1 = { 89 F1 48 89 FE 48 89 D7 48 F7 C6 FF FF FF FF 0F 84 6B 02 00 00 48 F7 C7 FF FF FF FF 0F 84 5E 02 00 00 48 8D 2D } diff --git a/yara/apt_apt36_operation_sindoor.yar b/yara/apt_apt36_operation_sindoor.yar index 223ada27..2c9c73fa 100644 --- a/yara/apt_apt36_operation_sindoor.yar +++ b/yara/apt_apt36_operation_sindoor.yar @@ -6,6 +6,7 @@ rule SUSP_LNX_Sindoor_ELF_Obfuscation_Aug25 { score = 70 reference = "Internal Research" hash = "6879a2b730e391964afe4dbbc29667844ba0c29239be5503b7c86e59e7052443" + id = "97802224-0d8b-5691-a6f1-f031626cda53" strings: $s1 = "UPX!" condition: @@ -23,6 +24,7 @@ rule SUSP_LNX_Sindoor_DesktopFile_Aug25 { score = 70 reference = "Internal Research" hash = "9943bdf1b2a37434054b14a1a56a8e67aaa6a8b733ca785017d3ed8c1173ac59" + id = "16719116-0cb2-5c70-a86f-f65f9ea32153" strings: $hdr = "[Desktop Entry]" $s1 = "printf '\\\\x7FELF' | dd of" @@ -41,6 +43,7 @@ rule MAL_Sindoor_Decryptor_Aug25 { score = 80 reference = "Internal Research" hash = "9a1adb50bb08f5a28160802c8f315749b15c9009f25aa6718c7752471db3bb4b" + id = "3c0c5217-b125-51a3-8129-30af5f0c7263" strings: $s1 = "Go build" $s2 = "main.rc4EncryptDecrypt" @@ -67,6 +70,7 @@ rule MAL_Sindoor_Downloader_Aug25 { score = 80 reference = "Internal Research" hash = "38b6b93a536cbab5c289fe542656d8817d7c1217ad75c7f367b15c65d96a21d4" + id = "c1188abc-2bea-5cbc-a39d-9690626c0821" strings: $s1 = "Go build" $s2 = "main.downloadFile.deferwrap" diff --git a/yara/apt_apt3_bemstour.yar b/yara/apt_apt3_bemstour.yar index c4573763..19b828f0 100644 --- a/yara/apt_apt3_bemstour.yar +++ b/yara/apt_apt3_bemstour.yar @@ -7,7 +7,7 @@ author = "Mark Lechtik" company = "Check Point Software Technologies LTD." date = "2019-06-25" sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a" -uuid = "8b76e10a-040f-505e-9dff-cd0a689b121e" +id = "8b76e10a-040f-505e-9dff-cd0a689b121e" strings: $dbg_print_1 = "leaked address is 0x%llx" ascii wide @@ -86,7 +86,7 @@ sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a" */ -uuid = "c30434c3-8949-566c-b6a6-29bffdaf961d" +id = "c30434c3-8949-566c-b6a6-29bffdaf961d" strings: $chunk_1 = { @@ -115,7 +115,7 @@ date = "2019-06-25" sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a" -uuid = "c773da5a-2d3f-5a0a-af2e-28ad382622b3" +id = "c773da5a-2d3f-5a0a-af2e-28ad382622b3" strings: diff --git a/yara/apt_cisco_asa_lineviper_rayinitiator_sep25.yar b/yara/apt_cisco_asa_lineviper_rayinitiator_sep25.yar index 4ca0bfb9..eebeb710 100644 --- a/yara/apt_cisco_asa_lineviper_rayinitiator_sep25.yar +++ b/yara/apt_cisco_asa_lineviper_rayinitiator_sep25.yar @@ -6,6 +6,7 @@ rule MAL_Cisco_RayInitiator_Stage_1 { reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf" score = 85 license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/" + id = "5631f2c5-5141-5039-9cd0-a35314aa0bd5" strings: $xc1 = { BB 00 00 40 00 43 81 FB 00 00 60 00 0F 87 AB 00 00 00 @@ -26,6 +27,7 @@ rule MAL_Cisco_RayInitiator_Stage_2 { reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf" score = 85 license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/" + id = "c49bdbe7-eba6-562c-8388-5e638887b405" strings: $xc1 = { 49 89 E0 48 83 F8 30 0F 84 70 00 00 00 49 01 C0 49 8B @@ -44,6 +46,7 @@ rule MAL_Cisco_RayInitiator_Stage_3 { reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf" score = 85 license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/" + id = "ea42c20b-7362-5d2d-9ce2-ad010f3f880d" strings: $xc1 = { 48 81 EE 00 00 00 08 48 B8 63 6C 69 65 6E 74 2D 63 49 @@ -61,6 +64,7 @@ rule MAL_Cisco_RayInitiator_Stage_3_LINE_VIPER_ShellCode { date = "2025-09-25" reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf" score = 85 + id = "91545ed8-b798-5c0c-a229-e7d37ed7d271" strings: $xc1 = { 48 89 FA 48 83 C7 40 4C 89 CE B9 D0 01 00 00 F3 A4 48 @@ -79,6 +83,7 @@ rule MAL_Cisco_LINE_VIPER_Shellcode_Deobfuscation_Routine { reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf" score = 85 license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/" + id = "608282b5-f296-5d21-b88b-92cd53128d89" strings: $xc1 = { 48 8B 7F 08 48 8D 5F 70 49 C7 C1 00 18 00 00 49 C7 C0 @@ -101,6 +106,7 @@ rule MAL_Cisco_LINE_VIPER_Shellcode_Initial_Execution { reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf" score = 85 license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/" + id = "ca88eff7-bf0d-5959-b614-1afb6d68879e" strings: $xc1 = { 48 8D B7 80 00 00 00 BA 00 20 00 00 [19] 48 C7 C6 00 @@ -124,6 +130,7 @@ rule MAL_Cisco_LINE_VIPER_RSA_Enc_Random_AES_Key_Gen { reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf" score = 85 license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/" + id = "ef37a3cf-aab8-513b-b859-7f7704fce622" strings: $xc1 = { 48 31 C0 49 89 06 49 89 46 08 49 83 C6 10 49 83 ED 10 @@ -154,6 +161,7 @@ rule MAL_Cisco_LINE_VIPER_AES_Enc_Tasking_Exfil { reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf" score = 85 license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/" + id = "9f3d77a6-3e31-588c-a65d-f1f9d9bc84df" strings: $ = { 48 31 C0 48 89 45 D8 49 89 FC 49 89 F5 49 89 D6 48 8B @@ -184,6 +192,7 @@ rule MAL_Cisco_LINE_VIPER_ICMP_Tasking_Shellcode_Payloads { reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf" score = 85 license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/" + id = "7f8df075-8ed6-5d24-9743-cf3da9a48ec4" strings: $ = { 55 53 41 54 41 55 41 56 41 57 48 89 E5 48 83 EC 60 48 diff --git a/yara/apt_cn_brickstorm_sep25.yar b/yara/apt_cn_brickstorm_sep25.yar index 08ef0232..4c4a4ec9 100644 --- a/yara/apt_cn_brickstorm_sep25.yar +++ b/yara/apt_cn_brickstorm_sep25.yar @@ -6,6 +6,7 @@ rule MAL_G_APT_Backdoor_BRICKSTORM_3 { score = 75 reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign" md5 = "931eacd7e5250d29903924c31f41b7e5" + id = "d50d60ec-0238-569e-911a-696b994416f9" strings: $str1 = { 48 8B 05 ?? ?? ?? ?? 48 89 04 24 E8 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 04 24 [0-5] E8 ?? ?? ?? ?? EB ?? } $str4 = "decompress" ascii // wide nocase @@ -23,6 +24,7 @@ rule MAL_G_Backdoor_BRICKSTORM_2 { date = "2025-09-25" score = 75 reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign" + id = "03618840-c3f3-5ba6-983b-181a855d506b" strings: // $obf_func = /[a-z]{20}\/[a-z]{20}\/[a-z]{20}\/[a-z]{20}.go/ $decr1 = { 0F B6 4C 04 ?? 0F B6 54 04 ?? 31 D1 88 4C 04 ?? 48 FF C0 [0-4] 48 83 F8 ?? 7C } @@ -58,6 +60,7 @@ rule MAL_G_APT_Backdoor_BRICKSTORM_1 { score = 75 reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign" md5 = "4645f2f6800bc654d5fa812237896b00" + id = "0e56b78c-121d-5ee5-ad3a-103088ecafeb" strings: $ = "WRITE_LOGWednesday" $ = "/home/vsphere-ui/" @@ -84,6 +87,7 @@ rule MAL_G_APT_Backdoor_BRICKSTORM_2 { date = "2025-09-25" score = 75 reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign" + id = "8418b887-9183-5364-a9d8-d2d4dbdefe83" strings: $str1 = { 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? C6 44 ?? ?? 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? 0F 11 84 ?? ?? ?? ?? ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 04 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 4C ?? ?? E8 ?? ?? ?? ?? 4? 83 7C ?? ?? 00 0F 84 ?? ?? ?? ?? 4? 8D 05 ?? ?? ?? ?? 4? 89 ?? ?? E8 ?? ?? ?? ?? 4? 8B 7C ?? ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 47 08 83 3D ?? ?? ?? ?? 00 75 ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 07 4? 89 BC ?? ?? ?? ?? ?? 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? ?? 4? 81 C4 ?? ?? ?? ?? C3 } $str2 = { 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 04 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 4C ?? ?? E8 ?? ?? ?? ?? 4? 8B 44 ?? ?? 4? 85 C0 0F 84 ?? ?? ?? ?? 4? 8D 05 ?? ?? ?? ?? 4? 89 ?? ?? E8 ?? ?? ?? ?? 4? 8B 44 ?? ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 48 08 8B 0D ?? ?? ?? ?? 85 C9 75 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 08 84 00 4? 89 84 ?? ?? ?? ?? ?? 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 90 E8 ?? ?? ?? ?? 4? 8B ?? ?4 D8 00 00 00 4? 81 C4 E0 00 00 00 C3 } @@ -98,6 +102,7 @@ rule WEBSHELL_G_APT_BackdoorWebshell_SLAYSTYLE_1 { date = "2025-09-25" score = 75 reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign" + id = "6d3dfb91-a14b-5420-b17b-c6d65c94fc53" strings: //$str1 = /String \w{1,10}=request\.getParameter\(\"\w{1,15}\"\);/ ascii wide nocase $str1_alt = "=request.getParameter(\"" @@ -118,6 +123,7 @@ rule WEBSHELL_G_APT_BackdoorWebshell_SLAYSTYLE_2 { date = "2025-09-25" score = 75 reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign" + id = "5ab6791b-5043-5fa1-b73e-caba9e059eaa" strings: $str1 = "request.getParameter" $str2 = "/bin/sh" @@ -135,6 +141,7 @@ rule MAL_G_Backdoor_BRICKSTEAL_1 { date = "2025-09-25" score = 75 reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign" + id = "2457d600-d9dd-504f-baa3-699ec5c61eae" strings: $str1 = "comvmware" $str2 = "abcdABCD1234!@#$" @@ -152,6 +159,7 @@ rule MAL_G_Dropper_BRICKSTEAL_1 { date = "2025-09-25" score = 75 reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign" + id = "c96eeeb0-ccb4-572c-80b5-638ce3bb51a9" strings: $str1 = "Base64.getDecoder().decode" $str2 = "Thread.currentThread().getContextClassLoader()" @@ -171,6 +179,7 @@ rule MAL_G_Dropper_BRICKSTEAL_2 { date = "2025-09-25" score = 75 reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign" + id = "8139f8c0-4c18-51bd-bf23-8c4cdc3fd555" strings: // $str1 = /\(Class<\?>\)\smethod\.invoke\(\w{1,20},\s\w{1,20},\s0,\s\w{1,20}\.length\);/i ascii wide $str1_alt = "(Class) method.invoke(" ascii wide diff --git a/yara/apt_hatman.yar b/yara/apt_hatman.yar index 9679845b..9ae2fdee 100644 --- a/yara/apt_hatman.yar +++ b/yara/apt_hatman.yar @@ -19,6 +19,8 @@ private global rule hatman_filesize : hatman { /* Private rules that are used at the end in the public rules. */ private rule hatman_setstatus : hatman { + meta: + id = "1d5d5568-8a65-510f-a49f-aa551fb9c7a2" strings: $preset = { 80 00 40 3c 00 00 62 80 40 00 80 3c 40 20 03 7c ?? ?? 82 40 04 00 62 80 60 00 80 3c 40 20 03 7c @@ -27,6 +29,8 @@ private rule hatman_setstatus : hatman { $preset } private rule hatman_memcpy : hatman { + meta: + id = "ddbd452a-bf74-5dcb-98a6-034846188aa5" strings: $memcpy_be = { 7c a9 03 a6 38 84 ff ff 38 63 ff ff 8c a4 00 01 9c a3 00 01 42 00 ff f8 4e 80 00 20 } @@ -36,6 +40,8 @@ private rule hatman_memcpy : hatman { $memcpy_be or $memcpy_le } private rule hatman_dividers : hatman { + meta: + id = "8c88e1d9-c7bf-5df0-80e9-7ea4ad45c20b" strings: $div1 = { 9a 78 56 00 } $div2 = { 34 12 00 00 } @@ -43,12 +49,16 @@ private rule hatman_dividers : hatman { $div1 and $div2 } private rule hatman_nullsub : hatman { + meta: + id = "feaf2242-1db8-5a30-a420-d826b9038266" strings: $nullsub = { ff ff 60 38 02 00 00 44 20 00 80 4e } condition: $nullsub } private rule hatman_origaddr : hatman { + meta: + id = "b37364d4-928d-556b-9515-9bb944befe8a" strings: $oaddr_be = { 3c 60 00 03 60 63 96 f4 4e 80 00 20 } $oaddr_le = { 03 00 60 3c f4 96 63 60 20 00 80 4e } @@ -56,6 +66,8 @@ private rule hatman_origaddr : hatman { $oaddr_be or $oaddr_le } private rule hatman_origcode : hatman { + meta: + id = "75acf3a2-0e9b-5280-8830-211c0f46737f" strings: $ocode_be = { 3c 00 00 03 60 00 a0 b0 7c 09 03 a6 4e 80 04 20 } $ocode_le = { 03 00 00 3c b0 a0 00 60 a6 03 09 7c 20 04 80 4e } @@ -63,6 +75,8 @@ private rule hatman_origcode : hatman { $ocode_be or $ocode_le } private rule hatman_mftmsr : hatman { + meta: + id = "56b400d4-2989-5c34-9e8a-0a14b0bf0af1" strings: $mfmsr_be = { 7c 63 00 a6 } $mfmsr_le = { a6 00 63 7c } @@ -72,6 +86,8 @@ private rule hatman_mftmsr : hatman { ($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le) } private rule hatman_loadoff : hatman { + meta: + id = "59229427-e982-59af-8fed-59b3db4b5374" strings: $loadoff_be = { 80 60 00 04 48 00 ?? ?? 70 60 ff ff 28 00 00 00 40 82 ?? ?? 28 03 00 00 41 82 ?? ?? } diff --git a/yara/apt_prikormka.yar b/yara/apt_prikormka.yar index df593d6b..c35c3997 100644 --- a/yara/apt_prikormka.yar +++ b/yara/apt_prikormka.yar @@ -32,6 +32,8 @@ private rule PrikormkaDropper { + meta: + id = "a31f8050-360d-5057-875c-64ba6b7ac79c" strings: $kd1 = "KDSTORAGE" wide $kd2 = "KDSTORAGE_64" wide @@ -50,6 +52,8 @@ private rule PrikormkaDropper private rule PrikormkaModule { + meta: + id = "69b1414d-6068-5d3e-8727-c63619c305b5" strings: // binary $str1 = {6D 70 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00} @@ -107,6 +111,8 @@ private rule PrikormkaModule private rule PrikormkaEarlyVersion { + meta: + id = "c93ef2a7-72e2-584f-beb3-95e62e020eb2" strings: $str1 = "IntelRestore" ascii fullword $str2 = "Resent" wide fullword diff --git a/yara/apt_unc2891_tinyshell_slapstick.yar b/yara/apt_unc2891_tinyshell_slapstick.yar index 2192dceb..8aca55b4 100644 --- a/yara/apt_unc2891_tinyshell_slapstick.yar +++ b/yara/apt_unc2891_tinyshell_slapstick.yar @@ -6,6 +6,7 @@ rule EXT_HKTL_MAL_TinyShell_Backdoor { reference = "https://www.mandiant.com/resources/blog/unc2891-overview" score = 80 hash1 = "1f889871263bd6cdad8f3d4d5fc58b4a32669b944d3ed0860730374bb87d730a" + id = "4ad5d334-98e4-577f-89c9-86626e8feb58" strings: $sb1 = { C6 00 48 C6 4? ?? 49 C6 4? ?? 49 C6 4? ?? 4C C6 4? ?? 53 C6 4? ?? 45 C6 4? ?? 54 C6 4? ?? 3D C6 4? ?? 46 C6 4? ?? 00 } $sb2 = { C6 00 54 C6 4? ?? 4D C6 4? ?? 45 C6 4? ?? 3D C6 4? ?? 52 } @@ -34,6 +35,7 @@ rule EXT_HKTL_MAL_TinyShell_Backdoor_SPARC { date = "2022-03-17" reference = "https://www.mandiant.com/resources/blog/unc2891-overview" score = 80 + id = "0a05a316-65b7-5cdf-849b-820ab60afbbd" strings: $sb_xor_1 = { DA 0A 80 0C 82 18 40 0D C2 2A 00 0B 96 02 E0 01 98 03 20 01 82 1B 20 04 80 A0 00 01 82 60 20 00 98 0B 00 01 C2 4A 00 0B 80 A0 60 00 32 BF FF F5 C2 0A 00 0B 81 C3 E0 08 } $sb_xor_2 = { C6 4A 00 00 80 A0 E0 00 02 40 00 0B C8 0A 00 00 85 38 60 00 C4 09 40 02 84 18 80 04 C4 2A 00 00 82 00 60 01 80 A0 60 04 83 64 60 00 10 6F FF F5 90 02 20 01 81 C3 E0 08 } @@ -48,6 +50,7 @@ rule EXT_APT_UNC2891_SLAPSTICK { date = "2022-03-17" reference = "https://www.mandiant.com/resources/blog/unc2891-overview" score = 80 + id = "2e97b8cb-a86e-5be9-92dc-fd1474aa9547" strings: $ss1 = { 25 59 20 25 62 20 25 64 20 25 48 3a 25 4d 3a 25 53 20 20 20 20 00 } $ss2 = { 25 2d 32 33 73 20 25 2d 32 33 73 20 25 2d 32 33 73 00 } diff --git a/yara/expl_commvault_cve_2025_57791.yar b/yara/expl_commvault_cve_2025_57791.yar index a698392d..39030456 100644 --- a/yara/expl_commvault_cve_2025_57791.yar +++ b/yara/expl_commvault_cve_2025_57791.yar @@ -5,6 +5,7 @@ rule SUSP_EXPL_CommVault_CVE_2025_57791_Aug25_1 { author = "X__Junior" date = "2025-08-21" score = 60 + id = "e83f8a1f-23cf-5f6d-aea1-414af813ee74" strings: $sa1 = "_localadmin__" $sa2 = "-localadmin" @@ -20,6 +21,7 @@ rule SUSP_EXPL_CommVault_CVE_2025_57791_Aug25_2 { author = "X__Junior" date = "2025-08-21" score = 65 + id = "4a581a0d-bd1d-599d-a1b9-936dbcda75a8" strings: $sa1 = "_localadmin__" $sa2 = "-localadmin" base64 @@ -34,6 +36,7 @@ rule SUSP_EXPL_CommVault_CVE_2025_57791_Artifact_Aug25 { author = "X__Junior" date = "2025-08-21" score = 75 + id = "9ac37635-fd8b-5241-abc2-bf39bab5ccdf" strings: $sa1 = "_localadmin__" $sa2 = /-cs [a-zA-Z0-9-{}]{3,32} -cs / @@ -51,6 +54,7 @@ rule EXPL_JSP_CommVault_CVE_2025_57791_Aug25_1 { date = "2025-08-21" reference = "https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/" score = 75 + id = "6fdfa207-6361-5dfb-b313-623d7cfa95f1" strings: $s1 = "" ascii $s2 = "getMethod('getRuntime').invoke(null).exec(param.cmd)" ascii @@ -65,6 +69,7 @@ rule EXPL_JSP_CommVault_CVE_2025_57791_Aug25_2 { date = "2025-08-21" reference = "https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/" score = 75 + id = "068e1598-bcde-579d-910a-449a7ad903d6" strings: $s1 = "" ascii $s2 = "" ascii @@ -80,6 +85,7 @@ rule EXPL_LOG_CommVault_CVE_2025_57791_Indicator_Shell_Drop_Aug25 { reference = "https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/" date = "2025-08-21" score = 70 + id = "efc7bcbc-6a38-5832-a12a-b8f9bd9125c1" strings: $xr1 = /Results written to \[[C-Z]:\\Program Files\\Commvault\\ContentStore\\Apache\\webapps\\ROOT\\[^\\]{1,20}\.jsp\]/ // https://regex101.com/r/KV8iK6/1 condition: diff --git a/yara/expl_copy_fail_cve_2026_31431.yar b/yara/expl_copy_fail_cve_2026_31431.yar index 4c1cb062..5b94fe73 100644 --- a/yara/expl_copy_fail_cve_2026_31431.yar +++ b/yara/expl_copy_fail_cve_2026_31431.yar @@ -10,6 +10,7 @@ rule EXPL_LNX_Copy_Fail_Artefacts_CVE_2026_31431_Apr26 { reference_6 = "https://github.com/iss4cf0ng/CVE-2026-31431-Linux-Copy-Fail" date = "2026-04-30" score = 75 + id = "753c6116-16d0-5890-98ae-84a417345e94" strings: // Network indicators (e.g. in bash history, logs, etc.) $xn1 = "curl https://copy.fail/exp" ascii diff --git a/yara/expl_lnx_dirtyfrag.yar b/yara/expl_lnx_dirtyfrag.yar index eddf677a..c4401cd8 100644 --- a/yara/expl_lnx_dirtyfrag.yar +++ b/yara/expl_lnx_dirtyfrag.yar @@ -6,6 +6,7 @@ rule EXPL_HKTL_LNX_DirtyFragLPE_May26 { score = 80 hash = "c35594d42f7a5d5d2895164147ee1bc62bb8e294c8468093b7d6fcaab0b174c8" reference = "https://github.com/V4bel/dirtyfrag/tree/master" + id = "7548b4c6-6b0f-5c05-acab-26dceac109ac" strings: // Indicators of exploitation attempts $x1 = "gained CAP_NET_RAW within netn" ascii @@ -32,6 +33,7 @@ rule EXPL_HKTL_LNX_DirtyFragShellcode_May26 { date = "2026-05-07" score = 80 hash = "a02ea2ba8108a9b7a997faa8808cfc55bb69af54e69178fa5aa1785681cf0ced" + id = "c156da87-c029-5084-9cd3-a233fefdaf25" strings: $op1 = { 31 ff // xor edi, edi @@ -64,6 +66,7 @@ rule EXPL_LNX_DirtyFrag_ForensicArtefacts_May26 { reference = "https://github.com/V4bel/dirtyfrag/tree/master" date = "2026-05-08" score = 75 + id = "bda5e087-8eb7-55bd-a5ff-0eef91d63bcf" strings: $xa1 = "/V4bel/dirtyfrag.git" ascii $xa2 = "static const uint8_t shell_elf[PAYLOAD_LEN] = {" ascii diff --git a/yara/expl_sap_netweaver_apr25.yar b/yara/expl_sap_netweaver_apr25.yar index 29a52ca7..2c9bea59 100644 --- a/yara/expl_sap_netweaver_apr25.yar +++ b/yara/expl_sap_netweaver_apr25.yar @@ -6,6 +6,7 @@ rule APT_SAP_NetWeaver_Exploitation_Activity_Apr25_1 : SCRIPT { author = "Florian Roth" date = "2025-04-25" score = 70 + id = "1ad16960-f059-57cd-97ba-58f2be6ca3f8" strings: $x01 = "/helper.jsp?cmd=" ascii wide $x02 = "/cache.jsp?cmd=" ascii wide @@ -20,6 +21,7 @@ rule APT_SAP_NetWeaver_Exploitation_Activity_Apr25_2 : SCRIPT { author = "Florian Roth" date = "2025-04-25" score = 70 + id = "3b7d3f94-88a9-5686-8a23-ac4040c0e6c1" strings: $x03 = "MSBuild.exe c:\\programdata\\" ascii wide condition: @@ -34,6 +36,7 @@ rule SUSP_WEBSHELL_Cmd_Indicator_Apr25 { date = "2025-04-25" modified = "2025-05-07" score = 60 + id = "eeeebfbc-9418-5ff4-b45f-8d96a9e7e4a8" strings: $xr01 = /\.(asp|aspx|jsp|php)\?cmd=[a-z0-9%+\-\/\.]{3,20} HTTP\/1\.[01]["']? 200/ condition: diff --git a/yara/expl_sharepoint_jul25.yar b/yara/expl_sharepoint_jul25.yar index 8678c7e1..71d0567b 100644 --- a/yara/expl_sharepoint_jul25.yar +++ b/yara/expl_sharepoint_jul25.yar @@ -8,6 +8,7 @@ rule WEBSHELL_ASPX_Sharepoint_Drop_CVE_2025_53770_Jul25 { hash = "27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014" hash = "92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514" hash = "b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93" + id = "f1c8f671-a0d2-5aaf-93f4-025dace0dbe1" strings: $x1 = "var sy = System.Reflection.Assembly.Load(" ascii $x2 = "Response.Write(cg.ValidationKey+" ascii @@ -30,6 +31,7 @@ rule WEBSHELL_ASPX_Compiled_Sharepoint_Drop_CVE_2025_53770_Jul25_2 { hash = "8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2" hash = "d8ca5e5d6400ac34ac4cc138efa89d2ec4d5c0e968a78fa3ba5dbc04c7550649" hash = "7e9b77da1f51d03ee2f96bc976f6aeb781f801cf633862a4b8c356cbb555927d" + id = "00a844ab-aede-53bf-820f-d43a5d96426d" strings: $x1 = /App_Web_spinstall\d{0,1}.aspx/ wide $x2 = /spinstall[\w]?[\._]aspx/ ascii @@ -58,6 +60,7 @@ rule APT_EXPL_Sharepoint_CVE_2025_53770_ForensicArtefact_Jul25_1 { date = "2025-07-20" modified = "2025-07-23" score = 75 + id = "06ad76ef-fc9c-5251-a7c0-cbbb66d79b0e" strings: $sa1 = /POST \/_layouts\/1[0-9]\/ToolPane\.aspx/ ascii wide nocase $sa2 = "DisplayMode=Edit&a=/ToolPane.aspx" ascii wide @@ -80,6 +83,7 @@ rule APT_EXPL_Sharepoint_CVE_2025_53770_ForensicArtefact_Jul25_2 { hash = "30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27" hash = "b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93" score = 70 + id = "c6f26461-04b8-5d69-bf28-e47411c38c82" strings: $x1 = "-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0" ascii wide $x2 = "TEMPLATE\\LAYOUTS\\spinstall" ascii wide diff --git a/yara/expl_wsus_cve_2025_59287.yar b/yara/expl_wsus_cve_2025_59287.yar index 477e430d..f0bad8ea 100644 --- a/yara/expl_wsus_cve_2025_59287.yar +++ b/yara/expl_wsus_cve_2025_59287.yar @@ -5,6 +5,7 @@ rule EXPL_WSUS_Exploitation_Indicators_Oct25 { reference = "https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability" date = "2025-10-25" score = 75 + id = "9a118d85-fbcd-5476-acd8-6bf66f660368" strings: // Error traceback found in C:\Program Files\Update Services\Logfiles\SoftwareDistribution.log $sl1 = "at System.Data.DataSet.DeserializeDataSetSchema(SerializationInfo info, StreamingContext context" ascii wide @@ -33,6 +34,7 @@ rule HKTL_EXPL_WSUS_Exploitation_POC_Oct25 { reference = "https://github.com/jiansiting/CVE-2025-59287/" date = "2025-10-26" score = 75 + id = "3f566bda-c217-55c9-bc21-26dd26b271f5" strings: $sa1 = "/SimpleAuthWebService/SimpleAuth.asmx" $sa2 = "/ReportingWebService/ReportingWebService.asmx" diff --git a/yara/exploit_cve_2022_22954_vmware_workspace_one.yar b/yara/exploit_cve_2022_22954_vmware_workspace_one.yar index d0259931..e71c76b8 100644 --- a/yara/exploit_cve_2022_22954_vmware_workspace_one.yar +++ b/yara/exploit_cve_2022_22954_vmware_workspace_one.yar @@ -9,6 +9,7 @@ rule SUSP_EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22_1 { date = "2022-04-08" modified = "2025-03-29" score = 60 + id = "3ff617bb-6dcd-576f-a1c3-7be1c19c0d5a" strings: $x2 = "${\"freemarker.template.utility.Execute\"?new()(" $x3 = "cat /etc/passwd\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute" @@ -43,6 +44,7 @@ rule LOG_SUSP_EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22_ { date = "2022-04-08" modified = "2025-03-29" score = 60 + id = "b46e5cf2-ab5b-5574-a67b-e774063ccd6d" strings: $x1 = "66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28" ascii diff --git a/yara/exploit_rar_archive_with_path_traversal_aug25.yar b/yara/exploit_rar_archive_with_path_traversal_aug25.yar index ebc0fb59..b959161d 100644 --- a/yara/exploit_rar_archive_with_path_traversal_aug25.yar +++ b/yara/exploit_rar_archive_with_path_traversal_aug25.yar @@ -8,6 +8,7 @@ rule EXPL_RAR_Archive_with_Path_Traversal_Aug25 { hash = "2a8fafa01f6d3863c87f20905736ebab28d6a5753ab708760c0b6cf3970828c3" hash = "dfab2f25c9d870f30bbc4abb873d155cf4904ece536714fb9cd32b2e0126dfab" hash = "107f3d1fe28b67397d21a6acca5b6b35def1aeb62a67bc10109bd73d567f9806" + id = "641c7e18-a887-5367-8584-2dc41c7ead53" strings: // Only look for the users Autostart folder because the most effective attack method // Use \ and / to handle archives created on Windows and Linux diff --git a/yara/gen_doc_follina.yar b/yara/gen_doc_follina.yar index f3ae919c..462fd46e 100644 --- a/yara/gen_doc_follina.yar +++ b/yara/gen_doc_follina.yar @@ -7,6 +7,7 @@ rule SUSP_PS1_Msdt_Execution_May22 { modified = "2025-03-21" reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e" score = 65 + id = "a1863582-87a2-5d07-a549-ef4a31bf0ed2" strings: $a = "PCWDiagnostic" ascii wide fullword $sa1 = "msdt.exe" ascii wide diff --git a/yara/gen_ps_osiris.yar b/yara/gen_ps_osiris.yar index cdd8461e..4dd6823a 100644 --- a/yara/gen_ps_osiris.yar +++ b/yara/gen_ps_osiris.yar @@ -16,6 +16,7 @@ rule Invoke_OSiRis { modified = "2025-03-21" score = 70 hash1 = "19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e" + id = "bc0fe826-6c8a-52e6-afb1-85d499093e50" strings: $x1 = "$null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create -Arg $ObfusK -Computer $Target" ascii wide $x3 = "-Arg@{Name=$VarName;VariableValue=$OSiRis;UserName=$env:Username}" ascii wide diff --git a/yara/gen_susp_obfuscation.yar b/yara/gen_susp_obfuscation.yar index f99a28bd..54e90c73 100644 --- a/yara/gen_susp_obfuscation.yar +++ b/yara/gen_susp_obfuscation.yar @@ -28,6 +28,7 @@ rule SUSP_Double_Base64_Encoded_Executable { hash = "f40c6116c05fbd0433fe4031a896e882c5d31059b93b5015a019c04e2a1add32" hash = "e396d1e1957e12595250ff85a7613873a065177c6e5b665e0f2b9f14224e33a3" hash = "ea96c8696d48884f337e19dfa4220c13200a28192220ebb1a856a7fd850dff99" + id = "2e714e91-c7e6-5c6f-930a-270ce452ff0c" strings: /* Double encoded MSDOS stubs This program cannot be run in DOS mode diff --git a/yara/gen_webshells.yar b/yara/gen_webshells.yar index 091633c0..5e81e40d 100644 --- a/yara/gen_webshells.yar +++ b/yara/gen_webshells.yar @@ -116,6 +116,7 @@ rule EXT_WEBSHELL_PHP_Generic { hash = "a09dcf52da767815f29f66cb7b03f3d8c102da5cf7b69567928961c389eac11f" hash = "d9ae762b011216e520ebe4b7abcac615c61318a8195601526cfa11bbc719a8f1" hash = "dd5d8a9b4bb406e0b8f868165a1714fe54ffb18e621582210f96f6e5ae850b33" + id = "ce3c93a5-3088-5e7e-a0d4-8bea18cf9cc3" strings: $wfp_tiny1 = "escapeshellarg" fullword $wfp_tiny2 = "addslashes" fullword diff --git a/yara/hktl_badsuccessor_helper_may25.yar b/yara/hktl_badsuccessor_helper_may25.yar index e8db1dbc..3eb8fd6d 100644 --- a/yara/hktl_badsuccessor_helper_may25.yar +++ b/yara/hktl_badsuccessor_helper_may25.yar @@ -6,6 +6,7 @@ rule HKTL_EXPL_WIN_PS1_BadSuccessor_May25 { reference = "https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory" date = "2025-05-22" score = 75 + id = "4f6ff5ff-831a-520c-8bc5-6fec5e65f9de" strings: $x1 = "function Get-BadSuccessorOUPermissions" ascii wide $x2 = "\"0feb936f-47b3-49f2-9386-1dedc2c23765\"=\"msDS-DelegatedManagedServiceAccount\"" ascii wide diff --git a/yara/hktl_edge_pwd_dumper_may25.yar b/yara/hktl_edge_pwd_dumper_may25.yar index 4c9966ea..0e587d3d 100644 --- a/yara/hktl_edge_pwd_dumper_may25.yar +++ b/yara/hktl_edge_pwd_dumper_may25.yar @@ -5,6 +5,7 @@ rule HKTL_NET_Edge_Saved_Passwords_Dumper_May26 { reference = "https://github.com/L1v1ng0ffTh3L4N/Proof-of-Concepts/tree/main/EdgeSavedPasswordsDumper" date = "2026-05-05" score = 80 + id = "9d09b27e-16a4-5396-af53-2a2c672bc985" strings: $x1 = "SELECT ProcessId, Name, ParentProcessId FROM Win32_Process WHERE Name='msedge.exe'" wide $x2 = "Scanning process PID: " wide diff --git a/yara/hktl_edr_freeze_sep25.yar b/yara/hktl_edr_freeze_sep25.yar index 5b37ab57..1d5963f2 100644 --- a/yara/hktl_edr_freeze_sep25.yar +++ b/yara/hktl_edr_freeze_sep25.yar @@ -12,6 +12,7 @@ rule HKTL_EDR_Freeze_Sep25_2 { hash5 = "d485017fb20c5a8fe38a6dbf896d4cbce485ff53a6cfe0e1440a1818b2d303ee" hash6 = "d989ebd417e6fae60a544e43bfc0ee63f5d9352ce0059b95ed4e7e18efbc5d0b" hash7 = "e2b2dd0984e52112965392471f6a09020eb8380aa53d48d2fb4dd3aaa7edae9b" + id = "e3fd5815-71c4-5510-bfb4-82203d81cc78" strings: $x1 = "EDR-Freeze.exe " wide fullword $x2 = "Successfully created PPL process with PID:" wide fullword diff --git a/yara/hktl_redsun_apr26.yar b/yara/hktl_redsun_apr26.yar index 97ee1aa2..d267709f 100644 --- a/yara/hktl_redsun_apr26.yar +++ b/yara/hktl_redsun_apr26.yar @@ -6,6 +6,7 @@ rule HKTL_RedSun_Privilege_Escalation_Apr26 { reference = "https://github.com/Nightmare-Eclipse/RedSun" hash = "57a70c383feb9af60b64ab6768a1ca1b3f7394b8c5ffdbfafc8e988d63935120" score = 80 + id = "64f86635-cf8c-5c65-b821-2d12e8ee9cdb" strings: $x1 = "\\??\\pipe\\REDSUN" wide $x2 = "The red sun shall prevail.\n" ascii fullword diff --git a/yara/htkl_blue_hammer_tool.yar b/yara/htkl_blue_hammer_tool.yar index 35a9d3b1..d09bc5e9 100644 --- a/yara/htkl_blue_hammer_tool.yar +++ b/yara/htkl_blue_hammer_tool.yar @@ -13,6 +13,7 @@ rule HKTL_BlueHammer_Apr26 { hash = "552dba31a446e96416738d84d4366503c397ba508a732719531c89a41abf3704" hash = "c9bec499db6a0a2165bcd2a211c8887e5fadf954eb9a2e5d3c6ca833e4a5ef64" score = 90 + id = "595bf733-b287-5048-88e2-b88caffc7a5d" strings: $x1 = "Junction created %ws => %ws" $x2 = "connect to windows defender RPC port !!!" diff --git a/yara/lotusblossom_notepad_exploitation.yar b/yara/lotusblossom_notepad_exploitation.yar index da3c54c0..8a81739e 100644 --- a/yara/lotusblossom_notepad_exploitation.yar +++ b/yara/lotusblossom_notepad_exploitation.yar @@ -6,6 +6,7 @@ rule MAL_Chrysalis_DllLoader_Feb26 { reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" hash = "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad" score = 80 + id = "a2bf8cde-36a5-565d-9257-f1a4b2d67adc" strings: $op1 = { 33 D2 8B C1 F7 F6 0F B6 C1 03 55 ?? 6B C0 ?? 32 02 88 04 0F 41 83 F9 ?? 72 } $op2 = { 0F B6 04 31 41 33 C2 69 D0 ?? ?? ?? ?? 3B CB 72 } @@ -21,6 +22,7 @@ rule MAL_Chrysalis_Shellcode_Loader_Feb26 { reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" hash = "e2e3d78437cf9d48c2b2264e44bb36bc2235834fc45bbb50b5d6867f336711e3" score = 80 + id = "4dce8370-19d3-579a-b1c7-7dd9fbe51ee6" strings: $op1 = { 8B C7 03 D7 83 E0 ?? 47 8A 4C 05 ?? 8A 04 13 02 C1 32 C1 2A C1 88 02 8B 55 ?? 3B FE 7C ?? 8B 5D ?? 8B 45 } $op2 = { 03 F8 8B 45 ?? 8B 50 ?? 85 C9 79 ?? 0F B7 C1 EB ?? 8D 41 ?? 03 C3 50 FF 75 ?? FF D2 89 07 85 C0 74 ?? 8B 4D ?? 46 } @@ -36,6 +38,7 @@ rule MAL_Chrysalis_Backdoor_Feb26 { reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" hash = "e2e3d78437cf9d48c2b2264e44bb36bc2235834fc45bbb50b5d6867f336711e3" score = 80 + id = "c3621431-9e20-5497-ad0a-e371063e7656" strings: $opa1 = { 8B 4D ?? C1 CF ?? C1 C1 ?? 03 F9 D1 C3 8B 4D ?? C1 C1 ?? 03 F9 03 FB 8B 5D ?? 69 CF ?? ?? ?? ?? BF ?? ?? ?? ?? 2B F9 EB } $opa2 = { F7 E9 [0-1] 8B C2 C1 E8 ?? 03 C2 8D 0C 40 8A C3 34 ?? [0-2] 0F B6 [1-4] 0F B6 C3 8B 5D [1-3] 0F 45 D0 } @@ -56,6 +59,7 @@ rule MAL_CobaltStrike_Beacon_Loader_Feb26 { hash = "0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd" hash = "b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3" score = 80 + id = "9d6888d0-64c6-5e52-a01a-8bcc51dd16b1" strings: $opa1 = { 45 33 C9 41 B8 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 66 89 44 24 ?? 41 B8 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 0F B7 4C 24 ?? FF 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? FF 15 } $opa2 = { 4C 8D 4C 24 ?? 41 B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 48 89 4C 24 ?? 4C 8D 0D ?? ?? ?? ?? 45 33 C0 33 D2 48 8B C8 FF 15 } @@ -76,6 +80,7 @@ rule MAL_POC_Microsoft_Warbird_Loader_Feb26 { reference = "https://cirosec.de/en/news/abusing-microsoft-warbird-for-shellcode-execution/" hash = "29d0467ee452752286318f350ceb28a2b04ee4c6de550ba0edc34ae0fa7cbb03" score = 75 + id = "a07f6d10-c463-56a6-a667-82b1c00760af" strings: $op = { fe af fe ca ef be ad de } condition: diff --git a/yara/mal_babbleloader_win_jan24.yar b/yara/mal_babbleloader_win_jan24.yar index 3a4d6997..54fceccd 100644 --- a/yara/mal_babbleloader_win_jan24.yar +++ b/yara/mal_babbleloader_win_jan24.yar @@ -7,7 +7,7 @@ rule mal_babbleloader_win_jan24 { reference = "https://0x0d4y.blog/babbleloader-technical-malware-analysis/" hash = "fa3d03c319a7597712eeff1338dabf92" - uuid = "b2f18ab3-b4df-4e2f-aa23-de8694beb221" + id = "b2f18ab3-b4df-4e2f-aa23-de8694beb221" license = "CC BY 4.0" rule_matching_tlp = "TLP:WHITE" rule_sharing_tlp = "TLP:WHITE" diff --git a/yara/mal_coralwave_remcos_dropper.yar b/yara/mal_coralwave_remcos_dropper.yar index 110c4446..42751d83 100644 --- a/yara/mal_coralwave_remcos_dropper.yar +++ b/yara/mal_coralwave_remcos_dropper.yar @@ -7,6 +7,7 @@ rule MAL_CoralWave_LenovoSPKVOL_RemcosMicDrop { hash = "65302b435a5bc30e8f0215455679635ec50b5b1caba9e55f9258d17c7238be54" score = 85 + id = "fddc398d-6283-5819-895a-d520aff7088c" strings: $stub_1 = "BAyXuHpAGwdG8ebXF3GvZ32vO3ORY" ascii $stub_2 = "IK5HT1XPlj3LoFkKi3YC4QwYQs7s" ascii diff --git a/yara/mal_crime_win_pe_godrat_aug25.yar b/yara/mal_crime_win_pe_godrat_aug25.yar index 5fb06d5d..06e75e9b 100644 --- a/yara/mal_crime_win_pe_godrat_aug25.yar +++ b/yara/mal_crime_win_pe_godrat_aug25.yar @@ -11,6 +11,7 @@ rule MAL_CRIME_RAT_WIN_PE_GodRat_Aug25: GodRAT { tags = "RAT, Windows, GodRAT, Gh0st RAT, GETGOD" victims = "Financial services" sha256 = "154e800ed1719dbdcb188c00d5822444717c2a89017f2d12b8511eeeda0c2f41" + id = "e6ec0af5-71d3-520a-a671-8634ac2f926f" strings: // WinRT version string $winrt_txt = "C++/WinRT version" ascii wide nocase diff --git a/yara/mal_etoroloro_nodepackage_dec25.yar b/yara/mal_etoroloro_nodepackage_dec25.yar index 7c88aace..5dd36732 100644 --- a/yara/mal_etoroloro_nodepackage_dec25.yar +++ b/yara/mal_etoroloro_nodepackage_dec25.yar @@ -7,6 +7,7 @@ rule MAL_Etoroloro_Malicious_NodePackage_Dec25 { date = "2025-12-12" score = 80 hash = "f08c5b748c91dd45fd73c5e85920f656e361d94b869e2147410b2b528c6ae78f" + id = "4c271502-68c6-5d20-85ea-c7f7628e417a" strings: $s1 = "DLLSideload." $s2 = "Failed to expand path:" wide diff --git a/yara/mal_katz_stealer.yar b/yara/mal_katz_stealer.yar index 329276f4..33e34c3e 100644 --- a/yara/mal_katz_stealer.yar +++ b/yara/mal_katz_stealer.yar @@ -7,6 +7,7 @@ rule MAL_Katz_Stealer_May25 { hash = "fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789" hash = "d92bb6e47cb0a0bdbb51403528ccfe643a9329476af53b5a729f04a4d2139647" score = 80 + id = "ef84df99-3c1a-56b6-a0fd-39876982d0c3" strings: $s1 = "Motherboard Product: %s" ascii $s2 = "cmd.exe /c %s" ascii @@ -28,6 +29,7 @@ rule MAL_DLL_Chrome_App_Bound_Encryption_Decryption_May25 { reference = "Internal Research" hash = "6dc8e99da68b703e86fa90a8794add87614f254f804a8d5d65927e0676107a9d" score = 80 + id = "ee1e2584-7104-506f-93a9-89e97cf39a93" strings: $s1 = "Failed to set proxy blanket." ascii $s2 = "Decryption failed. Last error:" ascii @@ -52,6 +54,7 @@ rule SUSP_Katz_Log_May25 { hash = "b10796c41e1cec7c84a3c68bfcaa7b20f49b620d1c94304a6b3ed73471fa9031" hash = "5a984e2e308fe84e4e2071dd877772361719ba0217c2c23da79dbb82dc15eac8" score = 65 + id = "be56f0ae-e444-569e-95d7-edccf4c6dd2b" strings: $s1 = "Motherboard Manufacturer:" ascii $s2 = "===== System Information =====" ascii @@ -70,6 +73,7 @@ rule MAL_NET_Katz_Stealer_Loader_May25 { reference = "Internal Research" hash = "0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7" score = 80 + id = "c3d33818-66a1-51d9-9bcd-d8d255f96881" strings: $x = "ExecutarMetodoVAI" ascii @@ -92,6 +96,7 @@ rule MAL_NET_UAC_Bypass_May25 { hash = "4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7" hash = "fcad234dc2ad5e2d8215bcf6caac29aef62666c34564e723fa6d2eee8b6468ed" score = 80 + id = "bf14177f-be55-5bb1-8218-a4a734532ea4" strings: $x1 = "CmstpBypass" ascii $x2 = { 52 00 45 00 50 00 4C 00 41 00 43 00 45 00 5F 00 43 00 4F 00 4D 00 4D 00 41 00 4E 00 44 00 5F 00 4C 00 49 00 4E 00 45 00 00 13 63 00 6D 00 73 00 74 00 70 00 2E 00 65 00 78 00 65 00 00 33 63 00 6D 00 73 00 74 00 70 00 2E 00 65 00 78 00 65 } diff --git a/yara/mal_kernel_regphantom_mar26.yar b/yara/mal_kernel_regphantom_mar26.yar index 43ea952f..c114cbe1 100644 --- a/yara/mal_kernel_regphantom_mar26.yar +++ b/yara/mal_kernel_regphantom_mar26.yar @@ -6,6 +6,7 @@ rule MAL_Kernel_RegPhantom_Mar26 { reference = "Internal Research" hash = "006e08f1b8cad821f7849c282dc11d317e76ce66a5bcd84053dd5e7752e0606f" score = 80 + id = "aa8963b5-3053-52a4-a84f-2fc02d03275e" strings: $s1 = "CmRegisterCallback" fullword $s2 = "PsSetCreateThreadNotifyRoutine" fullword diff --git a/yara/mal_lnx_plague.yar b/yara/mal_lnx_plague.yar index c079743b..ca27118d 100644 --- a/yara/mal_lnx_plague.yar +++ b/yara/mal_lnx_plague.yar @@ -7,6 +7,7 @@ rule MAL_LNX_PLAGUE_BACKDOOR_Jul25 { score = 80 hash = "14b0c90a2eff6b94b9c5160875fcf29aff15dcfdfd3402d953441d9b0dca8b39" hash = "7c3ada3f63a32f4727c62067d13e40bcb9aa9cbec8fb7e99a319931fc5a9332e" + id = "2c2e9030-fcef-58c9-9ed2-798560b8b384" strings: $s1 = "decrypt_phrase" $s2 = "init_phrases" diff --git a/yara/mal_lockbit4_hashing_alg_win_feb24.yar b/yara/mal_lockbit4_hashing_alg_win_feb24.yar index 74131fa7..c233c632 100644 --- a/yara/mal_lockbit4_hashing_alg_win_feb24.yar +++ b/yara/mal_lockbit4_hashing_alg_win_feb24.yar @@ -8,7 +8,7 @@ rule mal_lockbit4_hashing_alg_win_feb24 reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/" hash = "062311F136D83F64497FD81297360CD4" - uuid = "e91aedba-6f70-4ca2-9217-2991cbbc6e8d" + id = "e91aedba-6f70-4ca2-9217-2991cbbc6e8d" license = "CC BY 4.0" rule_matching_tlp = "TLP:WHITE" rule_sharing_tlp = "TLP:WHITE" diff --git a/yara/mal_lockbit4_packed_win_feb24.yar b/yara/mal_lockbit4_packed_win_feb24.yar index b080a2d0..bb3ef96e 100644 --- a/yara/mal_lockbit4_packed_win_feb24.yar +++ b/yara/mal_lockbit4_packed_win_feb24.yar @@ -7,7 +7,7 @@ rule mal_lockbit4_packed_feb24 score = 100 reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/" hash = "15796971D60F9D71AD162060F0F76A02" - uuid = "3c2b2806-9dce-4dce-a7ca-89ebc9005695" + id = "3c2b2806-9dce-4dce-a7ca-89ebc9005695" license = "CC BY 4.0" rule_matching_tlp = "TLP:WHITE" rule_sharing_tlp = "TLP:WHITE" diff --git a/yara/mal_lockbit4_rc4_win_feb24.yar b/yara/mal_lockbit4_rc4_win_feb24.yar index 08b532b6..d209980a 100644 --- a/yara/mal_lockbit4_rc4_win_feb24.yar +++ b/yara/mal_lockbit4_rc4_win_feb24.yar @@ -7,7 +7,7 @@ rule mal_lockbit4_rc4_win_feb24 score = 100 reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/" hash = "062311F136D83F64497FD81297360CD4" - uuid = "4de48ced-b9fa-4286-aac4-c263ad20d67d" + id = "4de48ced-b9fa-4286-aac4-c263ad20d67d" license = "CC BY 4.0" rule_matching_tlp = "TLP:WHITE" rule_sharing_tlp = "TLP:WHITE" diff --git a/yara/mal_npm_supply_chain_mar26.yar b/yara/mal_npm_supply_chain_mar26.yar index 29950b14..b0139bb8 100644 --- a/yara/mal_npm_supply_chain_mar26.yar +++ b/yara/mal_npm_supply_chain_mar26.yar @@ -6,6 +6,7 @@ rule MAL_NPM_SupplyChain_Attack_Mar26 { reference = "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" hash = "5e3e89c7351f385e36bb70286866a62957cc1aaab195539edb8c7bb62968a137" score = 80 + id = "88e7af97-f7c1-591e-960c-d5296da94066" strings: $s1 = "\"dependencies\":" // This is the specific malicious package that was added to the npm registry, which is a typo-squatting of the popular crypto-js package @@ -23,6 +24,7 @@ rule SUSP_JS_Dropper_Mar26 { reference = "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" hash = "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09" score = 70 + id = "456a52c2-9cbf-572f-9a5b-b8d74183e3f4" strings: $sa1 = "Buffer.from(" $sa2 = "FileSync(" diff --git a/yara/mal_npm_supply_chain_nov25.yar b/yara/mal_npm_supply_chain_nov25.yar index 77b06fda..5d4ae8ba 100644 --- a/yara/mal_npm_supply_chain_nov25.yar +++ b/yara/mal_npm_supply_chain_nov25.yar @@ -7,6 +7,7 @@ rule MAL_JS_NPM_SupplyChain_Attack_Nov25 { reference = "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains" hash = "62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0" score = 80 + id = "11726cbe-48a7-577a-9694-8f38ffa746e1" strings: $sa1 = "npm publish" $sa2 = "NPM_TOKEN" @@ -30,6 +31,7 @@ rule SUSP_JS_NPM_Sha1_Hulud_Nov25 { reference = "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains" hash = "62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0" score = 70 + id = "511fa6ca-25fe-57d4-a910-277c92d65e4a" strings: $x1 = "Sha1-Hulud:\\x" $x2 = "SHA1HULUD\"`" @@ -47,6 +49,7 @@ rule SUSP_JS_NPM_SetupScript_Nov25 { reference = "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains" hash = "a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a" score = 70 + id = "2d102efd-681a-5af1-b4fe-3489e5e7f8f2" strings: $sa1 = "require('child_process')" $sa2 = "process.platform ===" @@ -68,6 +71,7 @@ rule MAL_NPM_SupplyChain_Attack_PreInstallScript_Nov25 { reference = "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains" hash = "c4bc2afd133916f064f2fb7d1e2e067ea65db33463eeae2fa54a9860a6303865" score = 80 + id = "eebcf73d-ee26-59c6-aacb-b76232829ea6" strings: $x1 = "\"preinstall\": \"node setup_bun.js\"" condition: diff --git a/yara/mal_npm_supply_chain_sep25.yar b/yara/mal_npm_supply_chain_sep25.yar index 9660cd89..75dee811 100644 --- a/yara/mal_npm_supply_chain_sep25.yar +++ b/yara/mal_npm_supply_chain_sep25.yar @@ -7,6 +7,7 @@ rule MAL_JS_NPM_SupplyChain_Attack_Sep25 { modified = "2025-11-29" score = 85 hash1 = "16f6c756bc8ce5ef5d9aa1ded0f811ec0c9cee3d8f85cc151b8ca1df7b8a4337" + id = "f083233e-348a-5b7d-a128-181c543a279c" strings: $x1 = "const _0x112fa8=_0x180f;(function(_0x13c8b9" ascii @@ -27,6 +28,7 @@ rule MAL_JS_NPM_SupplyChain_Compromise_Sep25 { date = "2025-09-16" modified = "2025-09-17" score = 80 + id = "f64fa37b-8445-554a-8442-bd2d42a6643b" strings: $x1 = "if (plat === \"linux\") return \"https://github.com/trufflesecurity/trufflehog/releases" diff --git a/yara/mal_ralordv1_win_ap25.yar b/yara/mal_ralordv1_win_ap25.yar index 70cafc67..fd1151f0 100644 --- a/yara/mal_ralordv1_win_ap25.yar +++ b/yara/mal_ralordv1_win_ap25.yar @@ -6,7 +6,7 @@ rule MAL_WIN_Ralordv1_Apr25 { score = 80 reference = "https://ish.com.br/wp-content/uploads/2025/04/RALord-Novo-grupo-de-Ransomware-as-a-Service-1.pdf" hash = "BE15F62D14D1CBE2AECCE8396F4C6289" - uuid = "67254633-3597-4770-9806-8b2e26c8f66a" + id = "67254633-3597-4770-9806-8b2e26c8f66a" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" rule_matching_tlp = "TLP:WHITE" rule_sharing_tlp = "TLP:WHITE" diff --git a/yara/mal_react2shell_campaigns_dec25.yar b/yara/mal_react2shell_campaigns_dec25.yar index fdbe7cce..2a0d9594 100644 --- a/yara/mal_react2shell_campaigns_dec25.yar +++ b/yara/mal_react2shell_campaigns_dec25.yar @@ -6,6 +6,7 @@ rule MAL_ZinFoq_Dec25 { score = 85 reference = "https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell" hash = "0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce" + id = "fd8d517c-be4f-5170-b877-fbb457c54ef8" strings: $s1 = "_FlAg_UuId;;;;;;" $s2 = "interactive_shell" @@ -22,6 +23,7 @@ rule HKTL_CowTunnel_Dec25 { score = 85 reference = "https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell" hash = "776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273" + id = "83155e55-0074-52d9-95ef-8486139814d1" strings: $s1 = "cannot create proxy service, it should not happenned!" $s2 = "[nss] encrypt_data" @@ -38,6 +40,7 @@ rule MAL_PeerBlight_Dec25 { score = 85 reference = "https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell" hash = "a605a70d031577c83c093803d11ec7c1e29d2ad530f8e95d9a729c3818c7050d" + id = "23e6d040-00cb-5ad4-9f9b-bdbabeabd7ab" strings: $s1 = "/bin/systemd-daemon" $s2 = "/lib/systemd/system/systemd-agent.service" diff --git a/yara/mal_soupdealer_java_aug25.yar b/yara/mal_soupdealer_java_aug25.yar index 1378bd97..7c7423ea 100644 --- a/yara/mal_soupdealer_java_aug25.yar +++ b/yara/mal_soupdealer_java_aug25.yar @@ -6,6 +6,7 @@ rule SUSP_Scheduled_Task_Java_JAR_Aug25 { score = 60 reference = "Internal Research" hash = "7c5999082d9c5f3dd342ca05191311ddd1e24ba7675d1e9763fb4d962be3a933" + id = "b06df47a-529f-54d0-86ce-6739d45b4837" strings: $a0 = "Server Adress:User Info: ui" @@ -54,6 +55,7 @@ rule WEBSHELL_H4ntu_Shell_Powered_Tsoi { score = 80 old_rule_name = "Webshell_h4ntu_shell__powered_by_tsoi_" hash = "06ed0b2398f8096f1bebf092d0526137" + id = "81a017e8-96e4-53c6-a11e-0a11ded13287" strings: $x1 = "h4ntu shell" $x2 = "system(\"$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");" @@ -5764,6 +5766,7 @@ rule WEBSHELL_H4ntu_Shell_Powered_Tsoi_2 { modified = "2025-03-21" old_rule_name = "WebShell_h4ntu_shell__powered_by_tsoi_" hash = "cbca8cd000e705357e2a7e0cf8262678706f18f9" + id = "be2d148e-77b6-5322-98b1-503241b4954e" strings: $s1 = "<title>h4ntu shell [powered by tsoi]" fullword $s2 = "$uname = posix_uname( );" fullword diff --git a/yara/thor_inverse_matches.yar b/yara/thor_inverse_matches.yar index 78d42fa3..3ca69eac 100644 --- a/yara/thor_inverse_matches.yar +++ b/yara/thor_inverse_matches.yar @@ -20,6 +20,7 @@ private rule WINDOWS_UPDATE_BDC { meta: score = 0 + id = "44f0ab1c-06a6-5133-b1c7-2f8bbbb13409" condition: (uint32be(0) == 0x44434d01 and // magic: DCM PA30 uint32be(4) == 0x50413330) diff --git a/yara/threat_compromised_daemon_tools_lite_may26.yar b/yara/threat_compromised_daemon_tools_lite_may26.yar index 4b1de66d..bd54a79b 100644 --- a/yara/threat_compromised_daemon_tools_lite_may26.yar +++ b/yara/threat_compromised_daemon_tools_lite_may26.yar @@ -6,6 +6,7 @@ rule MAL_Information_Collector_May26 { reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/" hash = "a916e56121212613d17932e124b68752c9312e73bde8f2351054bd64394257df" score = 80 + id = "97bfe7ef-ba23-550c-a6bf-412c759eec91" strings: $x1 = ": InfoCollector.exe <" wide @@ -35,6 +36,7 @@ rule MAL_DAEMON_Tools_Lite_Compromised_May26 { hash = "0066ed9b9de2b8e251f7bcf73edcb549218179398cf90124a221958fedce6212" hash = "d2a5c9cbb73849cc0667987c33a9bf3822718e1528faef005f1628de3348ffb0" score = 80 + id = "68b6838a-6075-576b-af90-77c244d4d7a0" strings: $sa1 = { 31 03 35 55 e4 c4 32 2d a9 e0 b3 81 6d 14 38 4e } // certificate serial number $sa2 = "AVB Disc Soft, SIA" ascii @@ -55,6 +57,7 @@ rule MAL_Backdoor_May26 { reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/" hash = "5d581534b48d09855ac045aaf9b196ca26396a6c08616213f9f9afc656849c2f" score = 80 + id = "8f2493db-3ce6-576a-b1e9-80910dfbbaa8" strings: $op1 = { 48 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? F3 0F 7F 7D ?? C7 45 ?? ?? ?? ?? ?? F3 0F 7F 75 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? C6 45 ?? ?? FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 95 } $op2 = { 4D 8D 40 ?? 99 41 FF C1 41 F7 FB 48 63 C2 0F B6 8C 05 ?? ?? ?? ?? 41 30 48 ?? 49 83 EA } @@ -70,6 +73,7 @@ rule MAL_Minimalistic_Backdoor_May26 { reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/" hash = "395ec7acd475a8acd358adc75c4615cf41737aed8a96c4f2dd792c8a6af4140c" score = 80 + id = "8292161d-8b20-51e0-987a-dd0f4c1cf3e8" strings: $x1 = "Note: if multiple processes load the DLL," wide $x2 = "Inject (shellcode file is RC4 ciphertext; key is a UTF-8 string" wide diff --git a/yara/vuln_erlang_otp_ssh_cve_2025_32433.yar b/yara/vuln_erlang_otp_ssh_cve_2025_32433.yar index 51ed4b5f..41102766 100644 --- a/yara/vuln_erlang_otp_ssh_cve_2025_32433.yar +++ b/yara/vuln_erlang_otp_ssh_cve_2025_32433.yar @@ -5,6 +5,7 @@ rule VULN_Erlang_OTP_SSH_CVE_2025_32433_Apr25 { reference = "https://www.upwind.io/feed/cve-2025-32433-critical-erlang-otp-ssh-vulnerability-cvss-10" date = "2025-04-18" score = 60 + id = "fd0ff924-d0f3-5dcc-90f3-55875b90102e" strings: $a1 = { 46 4F 52 31 ?? ?? ?? ?? 42 45 41 4D } diff --git a/yara/yara_mixed_ext_vars.yar b/yara/yara_mixed_ext_vars.yar index 566a5565..5e60c87a 100644 --- a/yara/yara_mixed_ext_vars.yar +++ b/yara/yara_mixed_ext_vars.yar @@ -555,6 +555,7 @@ rule SUSP_DLL_SideLoading_Characteristics_Feb26 { date = "2026-02-03" score = 70 hash1 = "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad" + id = "465badb7-f550-5a12-87a0-e6977cbcb208" strings: $s1 = "log.dll" fullword ascii condition: @@ -577,6 +578,7 @@ rule SUSP_Renamed_Bitdefender_Submission_Wizard_Feb26 { date = "2026-02-03" score = 65 hash1 = "2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924" + id = "1c5e0314-8ced-5680-92eb-df03cc4e5847" strings: $s1 = "BDSubWiz.exe" wide fullword $s2 = "Bitdefender Submission Wizard" wide